This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch lxoliva/thread-safety-docs.stgit created. glibc-2.18-1283-g1ba4ff6


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, lxoliva/thread-safety-docs.stgit has been created
        at  1ba4ff625fde4ee563780edb919fd405dbb7e11a (commit)

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1ba4ff625fde4ee563780edb919fd405dbb7e11a

commit 1ba4ff625fde4ee563780edb919fd405dbb7e11a
Merge: 9a67aa8 3d982e9 8dcc1fc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:52:08 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9a67aa8f1a5ba0b9d0a3761bb0f7281c08f8bac2

commit 9a67aa8f1a5ba0b9d0a3761bb0f7281c08f8bac2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:52:08 2013 -0300

    float

diff --git a/meta b/meta
index d1ea3ca..6acab66 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 68379fd7aa430c571bb1b455da71c13a56186002
-Head: ca751b14a99f6ca19cd387c40c7caf7f1ee5c71a
+Previous: 8dcc1fc605293e377b1b3b196ac39b228f83271a
+Head: 3d982e90af49460d37c23c10f3cde364c598269c
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -21,14 +21,14 @@ Applied:
   manual-document-mt-safety-llio.patch: 97db8a779b727d321dc9cf106a644fa761073224
   manual-document-mt-safety-locale.patch: 7f05e88b0fe052bd57fbe1bd1ccb7858d9a527e3
   manual-document-mt-safety-stdio.patch: bf14604afc992972ae425a0cc64d4345c1443c86
-  wip-manual-document-mt-safety-math.patch: 5bbf285ade787de926d767c3417beadb4e17ca84
-  wip-manual-document-mt-safety-pattern.patch: 5136b46325225e9cd18f14795bba9e80f7df4a07
-  wip-manual-document-mt-safety-resource.patch: a74a71127664c49f6e66cf92fe2f50b0d0468097
-  wip-manual-document-mt-safety-startup.patch: 6d5ae028722ff5a2d6bc3335939bc5dceca2564b
-  wip-manual-document-mt-safety-search.patch: d011a67de1084c6dc09e112cd8356b867cfb9ee2
-  wip-manual-document-mt-safety-string.patch: 0f0207a1f9e087838409f6d0cb6ce1b1ce3c037d
-  wip-manual-document-mt-safety-terminal.patch: 8e43609f975993702fbcda503225c049d6c589be
-  wip-manual-document-mt-safety-threads.patch: 9ac0d00edce2fa5e88694ad2f4dfa7a86fc82b6c
-  wip-manual-document-mt-safety-time.patch: ca751b14a99f6ca19cd387c40c7caf7f1ee5c71a
+  wip-manual-document-mt-safety-pattern.patch: 6cf9b45a103ccc5656165a7d0853e72e1943f66a
+  wip-manual-document-mt-safety-resource.patch: 31fdcc2e40cc85faacf27d4247bb49604f945e2a
+  wip-manual-document-mt-safety-startup.patch: b13b7976ce56d128972d5a2bb04bb907a0661dee
+  wip-manual-document-mt-safety-search.patch: 511601826ccf40a83ac4e98820117ad8811dc5a0
+  wip-manual-document-mt-safety-string.patch: 1d120b93f49b9c1f4c44a49a07573c7ff19f4afd
+  wip-manual-document-mt-safety-terminal.patch: a5694376fe735dff550e59e048450335a9e5c8c4
+  wip-manual-document-mt-safety-threads.patch: d95db27ca339a074ca9b90b4373c420faeeede0c
+  wip-manual-document-mt-safety-time.patch: bd0a9d90000da3c55281a0dafdb4e3273ebe9047
+  wip-manual-document-mt-safety-math.patch: 3d982e90af49460d37c23c10f3cde364c598269c
 Unapplied:
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 447c1e4..478e891 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 2354d4aa92087b147a4a7f1f3a850dc073e8ac83
-Top:    e0ae0ec7f79cc39e8f29c1eee46e985a86436151
+Bottom: 1aae18f21a7abcf6ef192cc6d6ed3b80d59b841b
+Top:    574b1f3ead78e44f9134dc32d8cb5ccf08eeb941
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:58 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-pattern.patch b/patches/wip-manual-document-mt-safety-pattern.patch
index 9e888ec..5fbcc19 100644
--- a/patches/wip-manual-document-mt-safety-pattern.patch
+++ b/patches/wip-manual-document-mt-safety-pattern.patch
@@ -1,5 +1,5 @@
-Bottom: e0ae0ec7f79cc39e8f29c1eee46e985a86436151
-Top:    7ffb7fa11ce809a35157c9878854ecf081914170
+Bottom: 2354d4aa92087b147a4a7f1f3a850dc073e8ac83
+Top:    9e348119582d4b7a6d3aae3c97c9a14f37762d4f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 03:02:58 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 9e73865..de8c53c 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 7ffb7fa11ce809a35157c9878854ecf081914170
-Top:    9e5b6bf2781971d6205b7140fd3dedfe51777593
+Bottom: 9e348119582d4b7a6d3aae3c97c9a14f37762d4f
+Top:    6ad89fbd423e8628ec6c87e489c9f01ff82f1c62
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 7b4d6eb..2951e4b 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: dde37196871d1c4086ac7baf306aa861a6f4d9b8
-Top:    0ae019fb1f8d91cdcda3e370462a4e56a12fa640
+Bottom: dac45915cce6219148b13a23ce8ec776453b6aab
+Top:    48b016e0371710e7bb553d5918bbec02de205264
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index f62e989..f81255c 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 9e5b6bf2781971d6205b7140fd3dedfe51777593
-Top:    dde37196871d1c4086ac7baf306aa861a6f4d9b8
+Bottom: 6ad89fbd423e8628ec6c87e489c9f01ff82f1c62
+Top:    dac45915cce6219148b13a23ce8ec776453b6aab
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index d70bef5..be1999e 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 0ae019fb1f8d91cdcda3e370462a4e56a12fa640
-Top:    6b383988fa40a69605d230973b14cabc32603c24
+Bottom: 48b016e0371710e7bb553d5918bbec02de205264
+Top:    387134961945f06e0ec10fe9dea6b8965205264f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 67c1a81..43823c9 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 6b383988fa40a69605d230973b14cabc32603c24
-Top:    fb68481249349a8485cf5875f3d611fe8904e2e5
+Bottom: 387134961945f06e0ec10fe9dea6b8965205264f
+Top:    0f34e8a094f9f2d3f9479215c902cd398d6ef448
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 2614101..78084f9 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: fb68481249349a8485cf5875f3d611fe8904e2e5
-Top:    e851d0d03b805478aac31e6844f2f0820a760ff0
+Bottom: 0f34e8a094f9f2d3f9479215c902cd398d6ef448
+Top:    e1d4b6174c3b1ae6df39351971073374faee18fb
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 4213d8a..b0386b2 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: e851d0d03b805478aac31e6844f2f0820a760ff0
-Top:    574b1f3ead78e44f9134dc32d8cb5ccf08eeb941
+Bottom: e1d4b6174c3b1ae6df39351971073374faee18fb
+Top:    1aae18f21a7abcf6ef192cc6d6ed3b80d59b841b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3d982e90af49460d37c23c10f3cde364c598269c

commit 3d982e90af49460d37c23c10f3cde364c598269c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bd0a9d90000da3c55281a0dafdb4e3273ebe9047

commit bd0a9d90000da3c55281a0dafdb4e3273ebe9047
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d95db27ca339a074ca9b90b4373c420faeeede0c

commit d95db27ca339a074ca9b90b4373c420faeeede0c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a5694376fe735dff550e59e048450335a9e5c8c4

commit a5694376fe735dff550e59e048450335a9e5c8c4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1d120b93f49b9c1f4c44a49a07573c7ff19f4afd

commit 1d120b93f49b9c1f4c44a49a07573c7ff19f4afd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 2a164a9..b63a849 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,9 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Calls strcoll_l with the current locale, which dereferences only the
+@c LC_COLLATE data pointer.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1351,6 +1361,8 @@ collating sequence of the current locale for collation (the
 @comment wchar.h
 @comment ISO
 @deftypefun int wcscoll (const wchar_t *@var{ws1}, const wchar_t *@var{ws2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Same as strcoll, but calling wcscoll_l.
 The @code{wcscoll} function is similar to @code{wcscmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1649,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1691,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2689,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=511601826ccf40a83ac4e98820117ad8811dc5a0

commit 511601826ccf40a83ac4e98820117ad8811dc5a0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b13b7976ce56d128972d5a2bb04bb907a0661dee

commit b13b7976ce56d128972d5a2bb04bb907a0661dee
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=31fdcc2e40cc85faacf27d4247bb49604f945e2a

commit 31fdcc2e40cc85faacf27d4247bb49604f945e2a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6cf9b45a103ccc5656165a7d0853e72e1943f66a

commit 6cf9b45a103ccc5656165a7d0853e72e1943f66a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/pattern.texi: Document thread safety properties.

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 1966f3f..da2c8b6 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -736,6 +736,251 @@ expression into it by calling @code{regcomp}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c All of the issues have to do with memory allocation and multi-byte 
+@c character handling present in the input string, or implied by ranges
+@c or inverted character classes.
+@c (re_)malloc asmalloc, memleak
+@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
+@c    callers that don't zero the buffer)
+@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   (re_)malloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c   _NL_CURRENT ok
+@c   _NL_CURRENT_WORD ok
+@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  libc_lock_init ok
+@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_construct_common ok
+@c   re_string_realloc_buffers asmalloc, memleak
+@c    (re_)realloc dup asmalloc, memleak
+@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    isascii ok
+@c    mbsinit ok
+@c    toupper ok
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    iswlower glocale
+@c    towupper glocale
+@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    (re_)malloc dup asmalloc, memleak
+@c   build_upper_buffer ok (glocale, but optimized)
+@c    islower ok
+@c    toupper ok
+@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_translate_buffer ok
+@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    peek_token ok (maybe glocale)
+@c     re_string_eoi ok
+@c     re_string_peek_byte ok
+@c     re_string_cur_idx ok
+@c     re_string_length ok
+@c     re_string_peek_byte_case ok (maybe glocale)
+@c      re_string_peek_byte dup ok
+@c      re_string_is_single_byte_char ok
+@c      isascii ok
+@c      re_string_peek_byte dup ok
+@c     re_string_wchar_at ok
+@c     re_string_skip_bytes ok
+@c    re_string_skip_bytes dup ok
+@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_token_tree dup asmalloc, memleak
+@c      re_string_eoi dup ok
+@c      re_string_first_byte ok
+@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_tree dup asmalloc, memleak
+@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       postorder() asmalloc, memleak
+@c        free_tree asmalloc, memleak
+@c         free_token dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       _NL_CURRENT dup ok
+@c       _NL_CURRENT_WORD dup ok
+@c       calloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       peek_token_bracket ok
+@c        re_string_eoi dup ok
+@c        re_string_peek_byte dup ok
+@c        re_string_first_byte dup ok
+@c        re_string_cur_idx dup ok
+@c        re_string_length dup ok
+@c        re_string_skip_bytes dup ok
+@c       bitset_set ok
+@c       re_string_skip_bytes ok
+@c       parse_bracket_element ok (maybe glocale)
+@c        re_string_char_size_at ok
+@c        re_string_wchar_at dup ok
+@c        re_string_skip_bytes dup ok
+@c        parse_bracket_symbol ok (maybe glocale)
+@c         re_string_eoi dup ok
+@c         re_string_fetch_byte_case ok (maybe glocale)
+@c          re_string_fetch_byte ok
+@c          re_string_first_byte dup ok
+@c          isascii ok
+@c          re_string_char_size_at dup ok
+@c          re_string_skip_bytes dup ok
+@c         re_string_fetch_byte dup ok
+@c         re_string_peek_byte dup ok
+@c         re_string_skip_bytes dup ok
+@c        peek_token_bracket dup ok
+@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         collseq_table_lookup ok
+@c         auto seek_collating_symbol_entry dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c        collseq_table_lookup dup ok
+@c       bitset_set dup ok
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_equiv_class (maybe glocale), asmalloc, memleak
+@c        _NL_CURRENT ok
+@c        auto findidx ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       auto build_collating_symbol asmalloc, memleak
+@c        auto seek_collating_symbol_entry ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       build_charclass (maybe glocale), asmalloc, memleak
+@c        (re_)realloc dup asmalloc, memleak
+@c        bitset_set dup ok
+@c        isalnum ok
+@c        iscntrl ok
+@c        isspace ok
+@c        isalpha ok
+@c        isdigit ok
+@c        isprint ok
+@c        isupper ok
+@c        isblank ok
+@c        isgraph ok
+@c        ispunct ok
+@c        isxdigit ok
+@c       bitset_not ok
+@c       bitset_mask ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c      init_word_char (maybe glocale)
+@c       isalnum ok
+@c      build_charclass_op (maybe glocale), asmalloc, memleak
+@c       calloc dup asmalloc, memleak
+@c       build_charclass dup (maybe glocale), asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c       bitset_set dup ok
+@c       bitset_not dup ok
+@c       bitset_mask dup ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_cur_idx dup ok
+@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_set_index ok
+@c       postorder() asmalloc, memleak
+@c        free_tree dup asmalloc, memleak
+@c        mark_opt_subexp ok
+@c       duplicate_tree asmalloc, memleak
+@c        create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c     postorder() asmalloc, memleak
+@c      free_tree dup asmalloc, memleak
+@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    create_tree dup asmalloc, memleak
+@c   create_tree asmalloc, memleak
+@c    create_token_tree asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c  analyze asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   preorder() asmalloc, memleak
+@c    optimize_subexps ok
+@c    calc_next ok
+@c    link_nfa_nodes asmalloc, memleak
+@c     re_node_set_init_1 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_2 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c   postorder() asmalloc, memleak
+@c    lower_subexps asmalloc, memleak
+@c     lower_subexp asmalloc, memleak
+@c      create_tree dup asmalloc, memleak
+@c    calc_first asmalloc, memleak
+@c     re_dfa_add_node asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c      re_node_set_init_empty ok
+@c   calc_eclosure asmalloc, memleak
+@c    calc_eclosure_iter asmalloc, memleak
+@c     re_node_set_alloc asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     duplicate_node_closure asmalloc, memleak
+@c      re_node_set_empty ok
+@c      duplicate_node asmalloc, memleak
+@c       re_dfa_add_node dup asmalloc, memleak
+@c      re_node_set_insert asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c      search_duplicated_node ok
+@c     re_node_set_merge asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c     re_node_set_free asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     re_node_set_insert dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   calc_inveclosure asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c    re_node_set_insert_last asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c  optimize_utf8 ok
+@c  create_initial_state asmalloc, memleak
+@c   re_node_set_init_copy asmalloc, memleak
+@c    (re_)malloc dup asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c   re_node_set_contains ok
+@c   re_node_set_merge dup asmalloc, memleak
+@c   re_acquire_state_context asmalloc, memleak
+@c    calc_state_hash ok
+@c    re_node_set_compare ok
+@c    create_cd_newstate asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c     free_state asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     NOT_SATISFY_PREV_CONSTRAINT ok
+@c     re_node_set_remove_at ok
+@c     register_state asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_insert_last dup asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c  free_workarea_compile asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  free_dfa_content asmalloc, memleak
+@c   free_token asmalloc, memleak
+@c    free_charset asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_set_fastmap ok
+@c    tolower ok
+@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   towlower glocale
+@c   _NL_CURRENT ok
+@c (re_)free asmalloc, memleak
 The function @code{regcomp} ``compiles'' a regular expression into a
 data structure that you can use with @code{regexec} to match against a
 string.  The compiled regular expression format is designed for
@@ -885,6 +1130,247 @@ unless the regular expression contains anchor characters (@samp{^} or
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c libc_lock_lock selfdeadlock, lockleak
+@c re_search_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_string_allocate asmalloc, memleak
+@c   re_string_construct_common dup ok
+@c   re_string_realloc_buffers dup asmalloc, memleak
+@c  match_ctx_init asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c  re_string_byte_at ok
+@c  re_string_first_byte dup ok
+@c  check_matching glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_cur_idx dup ok
+@c   acquire_init_state_context dup asmalloc, memleak
+@c    re_string_context_at ok
+@c     re_string_byte_at dup ok
+@c     bitset_contain ok
+@c    re_acquire_state_context dup asmalloc, memleak
+@c   check_subexp_matching_top asmalloc, memleak
+@c    match_ctx_add_subtop asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c   transit_state_bkref glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    re_string_cur_idx dup ok
+@c    re_string_context_at dup ok
+@c    NOT_SATISFY_NEXT_CONSTRAINT ok
+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_string_get_buffer ok
+@c     search_cur_bkref_entry ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_realloc_buffers dup asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       build_upper_buffer dup ok (glocale, but optimized)
+@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_translate_buffer dup ok
+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       re_string_context_at dup ok
+@c       re_node_set_init_1 dup asmalloc, memleak
+@c       check_arrival_expand_ecl asmalloc, memleak
+@c        re_node_set_alloc dup asmalloc, memleak
+@c        find_subexp_node ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        check_arrival_expand_ecl_sub asmalloc, memleak
+@c         re_node_set_contains dup ok
+@c         re_node_set_insert dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_init_copy dup asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       expand_bkref_cache asmalloc, memleak
+@c        search_cur_bkref_entry dup ok
+@c        re_node_set_contains dup ok
+@c        re_node_set_init_1 dup asmalloc, memleak
+@c        check_arrival_expand_ecl dup asmalloc, memleak
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_init_copy dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_acquire_state asmalloc, memleak
+@c         calc_state_hash dup ok
+@c         re_node_set_compare dup ok
+@c         create_ci_newstate asmalloc, memleak
+@c          calloc dup asmalloc, memleak
+@c          re_node_set_init_copy dup asmalloc, memleak
+@c          (re_)free dup asmalloc, memleak
+@c          register_state dup asmalloc, memleak
+@c          free_state dup asmalloc, memleak
+@c       re_acquire_state_context dup asmalloc, memleak
+@c       re_node_set_merge dup asmalloc, memleak
+@c       check_arrival_add_next_nodes glocale, asmalloc, memleak
+@c        re_node_set_init_empty dup ok
+@c        check_node_accept_bytes glocale, asmalloc, memleak
+@c         re_string_byte_at dup ok
+@c         re_string_char_size_at dup ok
+@c         re_string_elem_size_at (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c          auto findidx dup ok
+@c         _NL_CURRENT_WORD dup ok
+@c         _NL_CURRENT dup ok
+@c         collseq_table_lookup dup ok
+@c         find_collation_sequence_value (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c         auto findidx dup ok
+@c         wcscoll glocale, asmalloc, memleak
+@c        re_node_set_empty dup ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_acquire_state dup asmalloc, memleak
+@c        check_node_accept ok
+@c         re_string_byte_at dup ok
+@c         bitset_contain dup ok
+@c         re_string_context_at dup ok
+@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c      match_ctx_add_entry asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     find_subexp_node dup ok
+@c     calloc dup asmalloc, memleak
+@c     check_arrival dup ***
+@c     match_ctx_add_sublast asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c    re_acquire_state_context dup asmalloc, memleak
+@c    re_node_set_init_union asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     re_node_set_init_empty dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top dup asmalloc, memleak
+@c   check_halt_state_context ok
+@c    re_string_context_at dup ok
+@c    check_halt_node_context ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c   re_string_eoi dup ok
+@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   transit_state glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    transit_state_mb glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_string_context_at dup ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c     check_node_accept_bytes dup glocale, asmalloc, memleak
+@c     re_string_cur_idx dup ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_node_set_init_union dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c    re_string_fetch_byte dup ok
+@c    re_string_context_at dup ok
+@c    build_trtable asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     group_nodes_into_DFAstates asmalloc, memleak
+@c      bitset_empty dup ok
+@c      bitset_set dup ok
+@c      bitset_merge dup ok
+@c      bitset_set_all ok
+@c      bitset_clear ok
+@c      bitset_contain dup ok
+@c      bitset_copy ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      re_node_set_init_1 dup asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c     re_node_set_alloc dup asmalloc, memleak
+@c     malloc dup asmalloc, memleak
+@c     free dup asmalloc, memleak
+@c     re_node_set_free dup asmalloc, memleak
+@c     bitset_empty ok
+@c     re_node_set_empty dup ok
+@c     re_node_set_merge dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c     bitset_merge ok
+@c     calloc dup asmalloc, memleak
+@c     bitset_contain dup ok
+@c   merge_state_with_log glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    re_string_cur_idx dup ok
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_string_context_at dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top asmalloc, memleak
+@c     match_ctx_add_subtop dup asmalloc, memleak
+@c    transit_state_bkref dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   find_recover_state
+@c    re_string_cur_idx dup ok
+@c    re_string_skip_bytes dup ok
+@c    merge_state_with_log dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  check_halt_state_context dup ok
+@c  prune_impossible_nodes glocale, asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   sift_ctx_init ok
+@c    re_node_set_init_empty dup ok
+@c   sift_states_backward glocale, asmalloc, memleak
+@c    re_node_set_init_1 dup asmalloc, memleak
+@c    update_cur_sifted_state glocale, asmalloc, memleak
+@c     add_epsilon_src_nodes asmalloc, memleak
+@c      re_acquire_state dup asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_merge dup asmalloc, memleak
+@c      re_node_set_add_intersect asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c     check_subexp_limits asmalloc, memleak
+@c      sub_epsilon_src_nodes asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_add_intersect dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_contains dup ok
+@c     re_acquire_state dup asmalloc, memleak
+@c     sift_states_bkref glocale, asmalloc, memleak
+@c      search_cur_bkref_entry dup ok
+@c      check_dst_limits ok
+@c       search_cur_bkref_entry dup ok
+@c       check_dst_limits_calc_pos ok
+@c        check_dst_limits_calc_pos_1 ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      sift_states_backward dup glocale, asmalloc, memleak
+@c      merge_state_array dup asmalloc, memleak
+@c      re_node_set_remove ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_free dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    re_node_set_empty dup ok
+@c    build_sifted_states glocale, asmalloc, memleak
+@c     sift_states_iter_mb glocale, asmalloc, memleak
+@c      check_node_accept_bytes dup glocale, asmalloc, memleak
+@c     check_node_accept dup ok
+@c     check_dst_limits dup ok
+@c     re_node_set_insert dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c   check_halt_state_context dup ok
+@c   merge_state_array asmalloc, memleak
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_acquire_state dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  set_regs asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   re_node_set_init_empty dup ok
+@c   free_fail_stack_return asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   update_regs ok
+@c   re_node_set_free dup asmalloc, memleak
+@c   pop_fail_stack asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  (re_)free dup asmalloc, memleak
+@c  match_ctx_free asmalloc, memleak
+@c   match_ctx_clean asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct dup asmalloc, memleak
+@c libc_lock_unlock lockleak
 This function tries to match the compiled regular expression
 @code{*@var{compiled}} against @var{string}.
 
@@ -1047,6 +1533,9 @@ free the storage it uses by calling @code{regfree}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun void regfree (regex_t *@var{compiled})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c (re_)free dup asmalloc, memleak
+@c free_dfa_content dup asmalloc, memleak
 Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
 points to.  This includes various internal fields of the @code{regex_t}
 structure that aren't documented in this manual.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8dcc1fc605293e377b1b3b196ac39b228f83271a

commit 8dcc1fc605293e377b1b3b196ac39b228f83271a
Merge: ef3f8e3 ca751b1 68379fd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:52:02 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ef3f8e3a7a92ec9b1081abc002f42ece677b7b8c

commit ef3f8e3a7a92ec9b1081abc002f42ece677b7b8c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:52:02 2013 -0300

    push

diff --git a/meta b/meta
index 9c3823b..d1ea3ca 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 6bce3f5791083d308b605e951d47f834711f5091
-Head: 7f05e88b0fe052bd57fbe1bd1ccb7858d9a527e3
+Previous: 68379fd7aa430c571bb1b455da71c13a56186002
+Head: ca751b14a99f6ca19cd387c40c7caf7f1ee5c71a
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -20,15 +20,15 @@ Applied:
   manual-document-mt-safety-lang.patch: eadd5e24321249b093b22f50057e8396fd887b2d
   manual-document-mt-safety-llio.patch: 97db8a779b727d321dc9cf106a644fa761073224
   manual-document-mt-safety-locale.patch: 7f05e88b0fe052bd57fbe1bd1ccb7858d9a527e3
+  manual-document-mt-safety-stdio.patch: bf14604afc992972ae425a0cc64d4345c1443c86
+  wip-manual-document-mt-safety-math.patch: 5bbf285ade787de926d767c3417beadb4e17ca84
+  wip-manual-document-mt-safety-pattern.patch: 5136b46325225e9cd18f14795bba9e80f7df4a07
+  wip-manual-document-mt-safety-resource.patch: a74a71127664c49f6e66cf92fe2f50b0d0468097
+  wip-manual-document-mt-safety-startup.patch: 6d5ae028722ff5a2d6bc3335939bc5dceca2564b
+  wip-manual-document-mt-safety-search.patch: d011a67de1084c6dc09e112cd8356b867cfb9ee2
+  wip-manual-document-mt-safety-string.patch: 0f0207a1f9e087838409f6d0cb6ce1b1ce3c037d
+  wip-manual-document-mt-safety-terminal.patch: 8e43609f975993702fbcda503225c049d6c589be
+  wip-manual-document-mt-safety-threads.patch: 9ac0d00edce2fa5e88694ad2f4dfa7a86fc82b6c
+  wip-manual-document-mt-safety-time.patch: ca751b14a99f6ca19cd387c40c7caf7f1ee5c71a
 Unapplied:
-  manual-document-mt-safety-stdio.patch: 63ec6cc0ec5f71f1e34e18def7b86eda75a61ce8
-  wip-manual-document-mt-safety-math.patch: db9625097d5f7d73d8ba1e10cf6a592ef525404f
-  wip-manual-document-mt-safety-pattern.patch: 9d8222797fb192c47f61ef2756ba9bf721caed9d
-  wip-manual-document-mt-safety-resource.patch: ea9df22bfd43daf99bbcadfa546e4989e0bec7ea
-  wip-manual-document-mt-safety-startup.patch: 774b847dc98387e90b576162ae3037de3f804693
-  wip-manual-document-mt-safety-search.patch: 33ed2f703bf905ac3dbb8beadda4548fb8ec09d2
-  wip-manual-document-mt-safety-string.patch: b821402693242076cefaf22a0d5f04c48fedd3d0
-  wip-manual-document-mt-safety-terminal.patch: 21de0b6010d4445b2194624a4776886fcf61f982
-  wip-manual-document-mt-safety-threads.patch: eafe2b5006176bc49e35cfcd3e4e15ea5a1457d7
-  wip-manual-document-mt-safety-time.patch: 23fab67522c5b3d91610013fb2c8562cf7ec3169
 Hidden:
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 9a6df66..431234b 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: dbeae1070d7f82bd45fdd09f92ac8b9617a600a7
-Top:    f26c5c6c4721a7c34f60aa5f7bc732d04153cd64
+Bottom: 84b8d343b6e17d8574bbe4b1f9cb2a37cb54b27e
+Top:    2354d4aa92087b147a4a7f1f3a850dc073e8ac83
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:58 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index b0d3038..447c1e4 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: f26c5c6c4721a7c34f60aa5f7bc732d04153cd64
-Top:    1edf7473ed3adfbf39a7390aa6530490cabd4b27
+Bottom: 2354d4aa92087b147a4a7f1f3a850dc073e8ac83
+Top:    e0ae0ec7f79cc39e8f29c1eee46e985a86436151
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:58 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-pattern.patch b/patches/wip-manual-document-mt-safety-pattern.patch
index 3e44fe7..9e888ec 100644
--- a/patches/wip-manual-document-mt-safety-pattern.patch
+++ b/patches/wip-manual-document-mt-safety-pattern.patch
@@ -1,5 +1,5 @@
-Bottom: 1edf7473ed3adfbf39a7390aa6530490cabd4b27
-Top:    e9dc853cd4e0bf04e89587ca842442a911baed92
+Bottom: e0ae0ec7f79cc39e8f29c1eee46e985a86436151
+Top:    7ffb7fa11ce809a35157c9878854ecf081914170
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 03:02:58 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 4a933c4..9e73865 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: e9dc853cd4e0bf04e89587ca842442a911baed92
-Top:    ffd5cfff82d2353229204337d172ca6232c502d5
+Bottom: 7ffb7fa11ce809a35157c9878854ecf081914170
+Top:    9e5b6bf2781971d6205b7140fd3dedfe51777593
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index ae3f846..7b4d6eb 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 2f7ecd5a953ea11aa3294ac487aa5f53c941a28a
-Top:    da16f2d144f592ae1c849bcff6b273474b94d60c
+Bottom: dde37196871d1c4086ac7baf306aa861a6f4d9b8
+Top:    0ae019fb1f8d91cdcda3e370462a4e56a12fa640
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index ec93026..f62e989 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: ffd5cfff82d2353229204337d172ca6232c502d5
-Top:    2f7ecd5a953ea11aa3294ac487aa5f53c941a28a
+Bottom: 9e5b6bf2781971d6205b7140fd3dedfe51777593
+Top:    dde37196871d1c4086ac7baf306aa861a6f4d9b8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index f01c56b..d70bef5 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: da16f2d144f592ae1c849bcff6b273474b94d60c
-Top:    d48407311de1aa694a411ebc9cc94142760cb765
+Bottom: 0ae019fb1f8d91cdcda3e370462a4e56a12fa640
+Top:    6b383988fa40a69605d230973b14cabc32603c24
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index a90b426..67c1a81 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: d48407311de1aa694a411ebc9cc94142760cb765
-Top:    1c64962cf5d20e506eff6118547fd4edf52ad63a
+Bottom: 6b383988fa40a69605d230973b14cabc32603c24
+Top:    fb68481249349a8485cf5875f3d611fe8904e2e5
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index bee22e1..2614101 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 1c64962cf5d20e506eff6118547fd4edf52ad63a
-Top:    3cfff0bb2a5e937f8fe10f3c1a9b77ca1b079659
+Bottom: fb68481249349a8485cf5875f3d611fe8904e2e5
+Top:    e851d0d03b805478aac31e6844f2f0820a760ff0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index f2267fc..4213d8a 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 3cfff0bb2a5e937f8fe10f3c1a9b77ca1b079659
-Top:    7f940b008b7f2743c4684dd4fcac50b2e707388b
+Bottom: e851d0d03b805478aac31e6844f2f0820a760ff0
+Top:    574b1f3ead78e44f9134dc32d8cb5ccf08eeb941
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ca751b14a99f6ca19cd387c40c7caf7f1ee5c71a

commit ca751b14a99f6ca19cd387c40c7caf7f1ee5c71a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9ac0d00edce2fa5e88694ad2f4dfa7a86fc82b6c

commit 9ac0d00edce2fa5e88694ad2f4dfa7a86fc82b6c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8e43609f975993702fbcda503225c049d6c589be

commit 8e43609f975993702fbcda503225c049d6c589be
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0f0207a1f9e087838409f6d0cb6ce1b1ce3c037d

commit 0f0207a1f9e087838409f6d0cb6ce1b1ce3c037d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 2a164a9..b63a849 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,9 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Calls strcoll_l with the current locale, which dereferences only the
+@c LC_COLLATE data pointer.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1351,6 +1361,8 @@ collating sequence of the current locale for collation (the
 @comment wchar.h
 @comment ISO
 @deftypefun int wcscoll (const wchar_t *@var{ws1}, const wchar_t *@var{ws2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Same as strcoll, but calling wcscoll_l.
 The @code{wcscoll} function is similar to @code{wcscmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1649,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1691,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2689,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d011a67de1084c6dc09e112cd8356b867cfb9ee2

commit d011a67de1084c6dc09e112cd8356b867cfb9ee2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bf14604afc992972ae425a0cc64d4345c1443c86

commit bf14604afc992972ae425a0cc64d4345c1443c86
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:58 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 30630ca..9ffe87b 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger than @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,12 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Besides the usual possibility of getting an inconsistent stream in a
+@c signal handler or leaving it inconsistent in case of cancellation,
+@c the possibility of leaving a dangling pointer upon cancellation
+@c between reallocing the buffer at *lineptr and updating the pointer
+@c brings about another case of incansist.
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c See the getline incansist note.
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1347,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1371,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1397,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1407,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1417,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1508,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1546,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1605,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1621,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1631,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1641,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2383,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2393,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2403,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2411,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2419,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2444,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2469,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2540,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2573,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2644,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2653,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2662,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale, asmalloc, memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2711,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2719,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2727,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2735,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2743,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2751,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2827,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3068,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3320,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3384,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +4001,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4016,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4031,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4039,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4047,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4061,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4088,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4097,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4106,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4114,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4122,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4130,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4180,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4190,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4204,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4215,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4243,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4254,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4368,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4381,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4405,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4421,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4441,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4465,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4514,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4636,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4651,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4664,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4681,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4793,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4806,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4823,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4845,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4870,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4948,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4962,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4974,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4989,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +5003,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5014,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5062,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5118,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5234,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5416,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5557,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6d5ae028722ff5a2d6bc3335939bc5dceca2564b

commit 6d5ae028722ff5a2d6bc3335939bc5dceca2564b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a74a71127664c49f6e66cf92fe2f50b0d0468097

commit a74a71127664c49f6e66cf92fe2f50b0d0468097
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5136b46325225e9cd18f14795bba9e80f7df4a07

commit 5136b46325225e9cd18f14795bba9e80f7df4a07
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/pattern.texi: Document thread safety properties.

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 1966f3f..da2c8b6 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -736,6 +736,251 @@ expression into it by calling @code{regcomp}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c All of the issues have to do with memory allocation and multi-byte 
+@c character handling present in the input string, or implied by ranges
+@c or inverted character classes.
+@c (re_)malloc asmalloc, memleak
+@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
+@c    callers that don't zero the buffer)
+@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   (re_)malloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c   _NL_CURRENT ok
+@c   _NL_CURRENT_WORD ok
+@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  libc_lock_init ok
+@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_construct_common ok
+@c   re_string_realloc_buffers asmalloc, memleak
+@c    (re_)realloc dup asmalloc, memleak
+@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    isascii ok
+@c    mbsinit ok
+@c    toupper ok
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    iswlower glocale
+@c    towupper glocale
+@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    (re_)malloc dup asmalloc, memleak
+@c   build_upper_buffer ok (glocale, but optimized)
+@c    islower ok
+@c    toupper ok
+@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_translate_buffer ok
+@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    peek_token ok (maybe glocale)
+@c     re_string_eoi ok
+@c     re_string_peek_byte ok
+@c     re_string_cur_idx ok
+@c     re_string_length ok
+@c     re_string_peek_byte_case ok (maybe glocale)
+@c      re_string_peek_byte dup ok
+@c      re_string_is_single_byte_char ok
+@c      isascii ok
+@c      re_string_peek_byte dup ok
+@c     re_string_wchar_at ok
+@c     re_string_skip_bytes ok
+@c    re_string_skip_bytes dup ok
+@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_token_tree dup asmalloc, memleak
+@c      re_string_eoi dup ok
+@c      re_string_first_byte ok
+@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_tree dup asmalloc, memleak
+@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       postorder() asmalloc, memleak
+@c        free_tree asmalloc, memleak
+@c         free_token dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       _NL_CURRENT dup ok
+@c       _NL_CURRENT_WORD dup ok
+@c       calloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       peek_token_bracket ok
+@c        re_string_eoi dup ok
+@c        re_string_peek_byte dup ok
+@c        re_string_first_byte dup ok
+@c        re_string_cur_idx dup ok
+@c        re_string_length dup ok
+@c        re_string_skip_bytes dup ok
+@c       bitset_set ok
+@c       re_string_skip_bytes ok
+@c       parse_bracket_element ok (maybe glocale)
+@c        re_string_char_size_at ok
+@c        re_string_wchar_at dup ok
+@c        re_string_skip_bytes dup ok
+@c        parse_bracket_symbol ok (maybe glocale)
+@c         re_string_eoi dup ok
+@c         re_string_fetch_byte_case ok (maybe glocale)
+@c          re_string_fetch_byte ok
+@c          re_string_first_byte dup ok
+@c          isascii ok
+@c          re_string_char_size_at dup ok
+@c          re_string_skip_bytes dup ok
+@c         re_string_fetch_byte dup ok
+@c         re_string_peek_byte dup ok
+@c         re_string_skip_bytes dup ok
+@c        peek_token_bracket dup ok
+@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         collseq_table_lookup ok
+@c         auto seek_collating_symbol_entry dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c        collseq_table_lookup dup ok
+@c       bitset_set dup ok
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_equiv_class (maybe glocale), asmalloc, memleak
+@c        _NL_CURRENT ok
+@c        auto findidx ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       auto build_collating_symbol asmalloc, memleak
+@c        auto seek_collating_symbol_entry ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       build_charclass (maybe glocale), asmalloc, memleak
+@c        (re_)realloc dup asmalloc, memleak
+@c        bitset_set dup ok
+@c        isalnum ok
+@c        iscntrl ok
+@c        isspace ok
+@c        isalpha ok
+@c        isdigit ok
+@c        isprint ok
+@c        isupper ok
+@c        isblank ok
+@c        isgraph ok
+@c        ispunct ok
+@c        isxdigit ok
+@c       bitset_not ok
+@c       bitset_mask ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c      init_word_char (maybe glocale)
+@c       isalnum ok
+@c      build_charclass_op (maybe glocale), asmalloc, memleak
+@c       calloc dup asmalloc, memleak
+@c       build_charclass dup (maybe glocale), asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c       bitset_set dup ok
+@c       bitset_not dup ok
+@c       bitset_mask dup ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_cur_idx dup ok
+@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_set_index ok
+@c       postorder() asmalloc, memleak
+@c        free_tree dup asmalloc, memleak
+@c        mark_opt_subexp ok
+@c       duplicate_tree asmalloc, memleak
+@c        create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c     postorder() asmalloc, memleak
+@c      free_tree dup asmalloc, memleak
+@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    create_tree dup asmalloc, memleak
+@c   create_tree asmalloc, memleak
+@c    create_token_tree asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c  analyze asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   preorder() asmalloc, memleak
+@c    optimize_subexps ok
+@c    calc_next ok
+@c    link_nfa_nodes asmalloc, memleak
+@c     re_node_set_init_1 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_2 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c   postorder() asmalloc, memleak
+@c    lower_subexps asmalloc, memleak
+@c     lower_subexp asmalloc, memleak
+@c      create_tree dup asmalloc, memleak
+@c    calc_first asmalloc, memleak
+@c     re_dfa_add_node asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c      re_node_set_init_empty ok
+@c   calc_eclosure asmalloc, memleak
+@c    calc_eclosure_iter asmalloc, memleak
+@c     re_node_set_alloc asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     duplicate_node_closure asmalloc, memleak
+@c      re_node_set_empty ok
+@c      duplicate_node asmalloc, memleak
+@c       re_dfa_add_node dup asmalloc, memleak
+@c      re_node_set_insert asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c      search_duplicated_node ok
+@c     re_node_set_merge asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c     re_node_set_free asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     re_node_set_insert dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   calc_inveclosure asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c    re_node_set_insert_last asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c  optimize_utf8 ok
+@c  create_initial_state asmalloc, memleak
+@c   re_node_set_init_copy asmalloc, memleak
+@c    (re_)malloc dup asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c   re_node_set_contains ok
+@c   re_node_set_merge dup asmalloc, memleak
+@c   re_acquire_state_context asmalloc, memleak
+@c    calc_state_hash ok
+@c    re_node_set_compare ok
+@c    create_cd_newstate asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c     free_state asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     NOT_SATISFY_PREV_CONSTRAINT ok
+@c     re_node_set_remove_at ok
+@c     register_state asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_insert_last dup asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c  free_workarea_compile asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  free_dfa_content asmalloc, memleak
+@c   free_token asmalloc, memleak
+@c    free_charset asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_set_fastmap ok
+@c    tolower ok
+@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   towlower glocale
+@c   _NL_CURRENT ok
+@c (re_)free asmalloc, memleak
 The function @code{regcomp} ``compiles'' a regular expression into a
 data structure that you can use with @code{regexec} to match against a
 string.  The compiled regular expression format is designed for
@@ -885,6 +1130,247 @@ unless the regular expression contains anchor characters (@samp{^} or
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c libc_lock_lock selfdeadlock, lockleak
+@c re_search_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_string_allocate asmalloc, memleak
+@c   re_string_construct_common dup ok
+@c   re_string_realloc_buffers dup asmalloc, memleak
+@c  match_ctx_init asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c  re_string_byte_at ok
+@c  re_string_first_byte dup ok
+@c  check_matching glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_cur_idx dup ok
+@c   acquire_init_state_context dup asmalloc, memleak
+@c    re_string_context_at ok
+@c     re_string_byte_at dup ok
+@c     bitset_contain ok
+@c    re_acquire_state_context dup asmalloc, memleak
+@c   check_subexp_matching_top asmalloc, memleak
+@c    match_ctx_add_subtop asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c   transit_state_bkref glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    re_string_cur_idx dup ok
+@c    re_string_context_at dup ok
+@c    NOT_SATISFY_NEXT_CONSTRAINT ok
+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_string_get_buffer ok
+@c     search_cur_bkref_entry ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_realloc_buffers dup asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       build_upper_buffer dup ok (glocale, but optimized)
+@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_translate_buffer dup ok
+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       re_string_context_at dup ok
+@c       re_node_set_init_1 dup asmalloc, memleak
+@c       check_arrival_expand_ecl asmalloc, memleak
+@c        re_node_set_alloc dup asmalloc, memleak
+@c        find_subexp_node ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        check_arrival_expand_ecl_sub asmalloc, memleak
+@c         re_node_set_contains dup ok
+@c         re_node_set_insert dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_init_copy dup asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       expand_bkref_cache asmalloc, memleak
+@c        search_cur_bkref_entry dup ok
+@c        re_node_set_contains dup ok
+@c        re_node_set_init_1 dup asmalloc, memleak
+@c        check_arrival_expand_ecl dup asmalloc, memleak
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_init_copy dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_acquire_state asmalloc, memleak
+@c         calc_state_hash dup ok
+@c         re_node_set_compare dup ok
+@c         create_ci_newstate asmalloc, memleak
+@c          calloc dup asmalloc, memleak
+@c          re_node_set_init_copy dup asmalloc, memleak
+@c          (re_)free dup asmalloc, memleak
+@c          register_state dup asmalloc, memleak
+@c          free_state dup asmalloc, memleak
+@c       re_acquire_state_context dup asmalloc, memleak
+@c       re_node_set_merge dup asmalloc, memleak
+@c       check_arrival_add_next_nodes glocale, asmalloc, memleak
+@c        re_node_set_init_empty dup ok
+@c        check_node_accept_bytes glocale, asmalloc, memleak
+@c         re_string_byte_at dup ok
+@c         re_string_char_size_at dup ok
+@c         re_string_elem_size_at (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c          auto findidx dup ok
+@c         _NL_CURRENT_WORD dup ok
+@c         _NL_CURRENT dup ok
+@c         collseq_table_lookup dup ok
+@c         find_collation_sequence_value (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c         auto findidx dup ok
+@c         wcscoll glocale, asmalloc, memleak
+@c        re_node_set_empty dup ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_acquire_state dup asmalloc, memleak
+@c        check_node_accept ok
+@c         re_string_byte_at dup ok
+@c         bitset_contain dup ok
+@c         re_string_context_at dup ok
+@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c      match_ctx_add_entry asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     find_subexp_node dup ok
+@c     calloc dup asmalloc, memleak
+@c     check_arrival dup ***
+@c     match_ctx_add_sublast asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c    re_acquire_state_context dup asmalloc, memleak
+@c    re_node_set_init_union asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     re_node_set_init_empty dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top dup asmalloc, memleak
+@c   check_halt_state_context ok
+@c    re_string_context_at dup ok
+@c    check_halt_node_context ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c   re_string_eoi dup ok
+@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   transit_state glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    transit_state_mb glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_string_context_at dup ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c     check_node_accept_bytes dup glocale, asmalloc, memleak
+@c     re_string_cur_idx dup ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_node_set_init_union dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c    re_string_fetch_byte dup ok
+@c    re_string_context_at dup ok
+@c    build_trtable asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     group_nodes_into_DFAstates asmalloc, memleak
+@c      bitset_empty dup ok
+@c      bitset_set dup ok
+@c      bitset_merge dup ok
+@c      bitset_set_all ok
+@c      bitset_clear ok
+@c      bitset_contain dup ok
+@c      bitset_copy ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      re_node_set_init_1 dup asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c     re_node_set_alloc dup asmalloc, memleak
+@c     malloc dup asmalloc, memleak
+@c     free dup asmalloc, memleak
+@c     re_node_set_free dup asmalloc, memleak
+@c     bitset_empty ok
+@c     re_node_set_empty dup ok
+@c     re_node_set_merge dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c     bitset_merge ok
+@c     calloc dup asmalloc, memleak
+@c     bitset_contain dup ok
+@c   merge_state_with_log glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    re_string_cur_idx dup ok
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_string_context_at dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top asmalloc, memleak
+@c     match_ctx_add_subtop dup asmalloc, memleak
+@c    transit_state_bkref dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   find_recover_state
+@c    re_string_cur_idx dup ok
+@c    re_string_skip_bytes dup ok
+@c    merge_state_with_log dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  check_halt_state_context dup ok
+@c  prune_impossible_nodes glocale, asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   sift_ctx_init ok
+@c    re_node_set_init_empty dup ok
+@c   sift_states_backward glocale, asmalloc, memleak
+@c    re_node_set_init_1 dup asmalloc, memleak
+@c    update_cur_sifted_state glocale, asmalloc, memleak
+@c     add_epsilon_src_nodes asmalloc, memleak
+@c      re_acquire_state dup asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_merge dup asmalloc, memleak
+@c      re_node_set_add_intersect asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c     check_subexp_limits asmalloc, memleak
+@c      sub_epsilon_src_nodes asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_add_intersect dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_contains dup ok
+@c     re_acquire_state dup asmalloc, memleak
+@c     sift_states_bkref glocale, asmalloc, memleak
+@c      search_cur_bkref_entry dup ok
+@c      check_dst_limits ok
+@c       search_cur_bkref_entry dup ok
+@c       check_dst_limits_calc_pos ok
+@c        check_dst_limits_calc_pos_1 ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      sift_states_backward dup glocale, asmalloc, memleak
+@c      merge_state_array dup asmalloc, memleak
+@c      re_node_set_remove ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_free dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    re_node_set_empty dup ok
+@c    build_sifted_states glocale, asmalloc, memleak
+@c     sift_states_iter_mb glocale, asmalloc, memleak
+@c      check_node_accept_bytes dup glocale, asmalloc, memleak
+@c     check_node_accept dup ok
+@c     check_dst_limits dup ok
+@c     re_node_set_insert dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c   check_halt_state_context dup ok
+@c   merge_state_array asmalloc, memleak
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_acquire_state dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  set_regs asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   re_node_set_init_empty dup ok
+@c   free_fail_stack_return asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   update_regs ok
+@c   re_node_set_free dup asmalloc, memleak
+@c   pop_fail_stack asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  (re_)free dup asmalloc, memleak
+@c  match_ctx_free asmalloc, memleak
+@c   match_ctx_clean asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct dup asmalloc, memleak
+@c libc_lock_unlock lockleak
 This function tries to match the compiled regular expression
 @code{*@var{compiled}} against @var{string}.
 
@@ -1047,6 +1533,9 @@ free the storage it uses by calling @code{regfree}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun void regfree (regex_t *@var{compiled})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c (re_)free dup asmalloc, memleak
+@c free_dfa_content dup asmalloc, memleak
 Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
 points to.  This includes various internal fields of the @code{regex_t}
 structure that aren't documented in this manual.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5bbf285ade787de926d767c3417beadb4e17ca84

commit 5bbf285ade787de926d767c3417beadb4e17ca84
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=68379fd7aa430c571bb1b455da71c13a56186002

commit 68379fd7aa430c571bb1b455da71c13a56186002
Merge: 5576362 7f05e88 6bce3f5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:51:54 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5576362f8cd7fd634eaf2d25e762a6f58eccf4d3

commit 5576362f8cd7fd634eaf2d25e762a6f58eccf4d3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:51:54 2013 -0300

    float

diff --git a/meta b/meta
index 4cc4baf..9c3823b 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 2d8a3ec53d2e0fdc4378cae6c72ada4246c12fd9
-Head: 97db8a779b727d321dc9cf106a644fa761073224
+Previous: 6bce3f5791083d308b605e951d47f834711f5091
+Head: 7f05e88b0fe052bd57fbe1bd1ccb7858d9a527e3
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -19,6 +19,7 @@ Applied:
   manual-document-mt-safety-job.patch: 950462adffbb683bfe87aa0e8e80419c3ebe59f8
   manual-document-mt-safety-lang.patch: eadd5e24321249b093b22f50057e8396fd887b2d
   manual-document-mt-safety-llio.patch: 97db8a779b727d321dc9cf106a644fa761073224
+  manual-document-mt-safety-locale.patch: 7f05e88b0fe052bd57fbe1bd1ccb7858d9a527e3
 Unapplied:
   manual-document-mt-safety-stdio.patch: 63ec6cc0ec5f71f1e34e18def7b86eda75a61ce8
   wip-manual-document-mt-safety-math.patch: db9625097d5f7d73d8ba1e10cf6a592ef525404f
@@ -30,5 +31,4 @@ Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 21de0b6010d4445b2194624a4776886fcf61f982
   wip-manual-document-mt-safety-threads.patch: eafe2b5006176bc49e35cfcd3e4e15ea5a1457d7
   wip-manual-document-mt-safety-time.patch: 23fab67522c5b3d91610013fb2c8562cf7ec3169
-  manual-document-mt-safety-locale.patch: 4214cb36d3708ec427b9de7324c804d24d9c3552
 Hidden:
diff --git a/patches/manual-document-mt-safety-locale.patch b/patches/manual-document-mt-safety-locale.patch
index c54933c..ffc2d2e 100644
--- a/patches/manual-document-mt-safety-locale.patch
+++ b/patches/manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 7f940b008b7f2743c4684dd4fcac50b2e707388b
-Top:    574b1f3ead78e44f9134dc32d8cb5ccf08eeb941
+Bottom: dbeae1070d7f82bd45fdd09f92ac8b9617a600a7
+Top:    84b8d343b6e17d8574bbe4b1f9cb2a37cb54b27e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:01 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7f05e88b0fe052bd57fbe1bd1ccb7858d9a527e3

commit 7f05e88b0fe052bd57fbe1bd1ccb7858d9a527e3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:01 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..4afa104 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
@@ -414,6 +545,10 @@ according to the selected locale using this information.
 @comment locale.h
 @comment ISO
 @deftypefun {struct lconv *} localeconv (void)
+@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
+@c This function reads from multiple components of the locale object,
+@c without synchronization, while writing to the static buffer it uses
+@c as the return value.
 The @code{localeconv} function returns a pointer to a structure whose
 components contain information about how numeric and monetary values
 should be formatted in the current locale.
@@ -680,6 +815,10 @@ was introduced.
 @comment langinfo.h
 @comment XOPEN
 @deftypefun {char *} nl_langinfo (nl_item @var{item})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c It calls _nl_langinfo_l with the current locale, which returns a
+@c pointer into constant strings defined in locale data structures.  It
+@c doesn't run afoul of glocale itself, but callers may.
 The @code{nl_langinfo} function can be used to access individual
 elements of the locale categories.  Unlike the @code{localeconv}
 function, which returns all the information, @code{nl_langinfo}
@@ -974,6 +1113,11 @@ locale information, making it easier for the user to format
 numbers according to these rules.
 
 @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
+@c locale object passed to it, accesses the active locale through
+@c isdigit (but to_digit assumes ASCII digits only).  It may call
+@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
 The @code{strfmon} function is similar to the @code{strftime} function
 in that it takes a buffer, its size, a format string,
 and values to write into the buffer as text in a form specified
@@ -1185,6 +1329,10 @@ access to the corresponding locale definitions.
 @comment GNU
 @comment stdlib.h
 @deftypefun int rpmatch (const char *@var{response})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale, but
+@c it's regcomp and regexec that bring in all of the safety issues.
+@c regfree is also called, but it doesn't introduce any further issues.
 The function @code{rpmatch} checks the string in @var{response} whether
 or not it is a correct yes-or-no answer and if yes, which one.  The
 check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6bce3f5791083d308b605e951d47f834711f5091

commit 6bce3f5791083d308b605e951d47f834711f5091
Merge: 9d0c022 2d8a3ec
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:51:52 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9d0c02285c888d85cf7c7a4034bdb86158015266

commit 9d0c02285c888d85cf7c7a4034bdb86158015266
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:51:52 2013 -0300

    goto

diff --git a/meta b/meta
index 1dfc36e..4cc4baf 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: e3dcc27d73ed78e729a25718727eb83d631db0ec
-Head: 4214cb36d3708ec427b9de7324c804d24d9c3552
+Previous: 2d8a3ec53d2e0fdc4378cae6c72ada4246c12fd9
+Head: 97db8a779b727d321dc9cf106a644fa761073224
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -19,6 +19,7 @@ Applied:
   manual-document-mt-safety-job.patch: 950462adffbb683bfe87aa0e8e80419c3ebe59f8
   manual-document-mt-safety-lang.patch: eadd5e24321249b093b22f50057e8396fd887b2d
   manual-document-mt-safety-llio.patch: 97db8a779b727d321dc9cf106a644fa761073224
+Unapplied:
   manual-document-mt-safety-stdio.patch: 63ec6cc0ec5f71f1e34e18def7b86eda75a61ce8
   wip-manual-document-mt-safety-math.patch: db9625097d5f7d73d8ba1e10cf6a592ef525404f
   wip-manual-document-mt-safety-pattern.patch: 9d8222797fb192c47f61ef2756ba9bf721caed9d
@@ -30,5 +31,4 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: eafe2b5006176bc49e35cfcd3e4e15ea5a1457d7
   wip-manual-document-mt-safety-time.patch: 23fab67522c5b3d91610013fb2c8562cf7ec3169
   manual-document-mt-safety-locale.patch: 4214cb36d3708ec427b9de7324c804d24d9c3552
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2d8a3ec53d2e0fdc4378cae6c72ada4246c12fd9

commit 2d8a3ec53d2e0fdc4378cae6c72ada4246c12fd9
Merge: 98c4328 e3dcc27
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:45:16 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=98c43286bd19784213c63c86f9f2d95667d8d9a1

commit 98c43286bd19784213c63c86f9f2d95667d8d9a1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:45:16 2013 -0300

    rename

diff --git a/meta b/meta
index 0d47e02..1dfc36e 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 0a7907b63c6a66c7e414744103819d7f8366771e
+Previous: e3dcc27d73ed78e729a25718727eb83d631db0ec
 Head: 4214cb36d3708ec427b9de7324c804d24d9c3552
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
@@ -29,6 +29,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 21de0b6010d4445b2194624a4776886fcf61f982
   wip-manual-document-mt-safety-threads.patch: eafe2b5006176bc49e35cfcd3e4e15ea5a1457d7
   wip-manual-document-mt-safety-time.patch: 23fab67522c5b3d91610013fb2c8562cf7ec3169
-  wip-manual-document-mt-safety-locale.patch: 4214cb36d3708ec427b9de7324c804d24d9c3552
+  manual-document-mt-safety-locale.patch: 4214cb36d3708ec427b9de7324c804d24d9c3552
 Unapplied:
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/manual-document-mt-safety-locale.patch
similarity index 100%
rename from patches/wip-manual-document-mt-safety-locale.patch
rename to patches/manual-document-mt-safety-locale.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e3dcc27d73ed78e729a25718727eb83d631db0ec

commit e3dcc27d73ed78e729a25718727eb83d631db0ec
Merge: b12a923 4214cb3 0a7907b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:45:07 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b12a923becc8608e582c2916f742678409b83dff

commit b12a923becc8608e582c2916f742678409b83dff
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:45:07 2013 -0300

    refresh

diff --git a/meta b/meta
index 629a4c4..0d47e02 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 0e6cf8b865cd53052d4ecb71f3d21a2efd6d6c26
-Head: dbb3da270a19fb43d667c13537697660a656c235
+Previous: 0a7907b63c6a66c7e414744103819d7f8366771e
+Head: 4214cb36d3708ec427b9de7324c804d24d9c3552
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -29,7 +29,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 21de0b6010d4445b2194624a4776886fcf61f982
   wip-manual-document-mt-safety-threads.patch: eafe2b5006176bc49e35cfcd3e4e15ea5a1457d7
   wip-manual-document-mt-safety-time.patch: 23fab67522c5b3d91610013fb2c8562cf7ec3169
-  wip-manual-document-mt-safety-locale.patch: fe706bad5be70be468054c3d603d2026477c8e9b
-  refresh-temp: dbb3da270a19fb43d667c13537697660a656c235
+  wip-manual-document-mt-safety-locale.patch: 4214cb36d3708ec427b9de7324c804d24d9c3552
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 3b00500..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,26 +0,0 @@
-Bottom: e8b652117ea1b56a1869c44cc40594c34af2f636
-Top:    574b1f3ead78e44f9134dc32d8cb5ccf08eeb941
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 12:45:06 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index 11c9dc7..4afa104 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -1329,8 +1329,10 @@ access to the corresponding locale definitions.
- @comment GNU
- @comment stdlib.h
- @deftypefun int rpmatch (const char *@var{response})
--@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
--@c regfree, regcomp and regexec.
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
-+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale, but
-+@c it's regcomp and regexec that bring in all of the safety issues.
-+@c regfree is also called, but it doesn't introduce any further issues.
- The function @code{rpmatch} checks the string in @var{response} whether
- or not it is a correct yes-or-no answer and if yes, which one.  The
- check uses the @code{YESEXPR} and @code{NOEXPR} data in the
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index c330fb8..c54933c 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: 7f940b008b7f2743c4684dd4fcac50b2e707388b
-Top:    e8b652117ea1b56a1869c44cc40594c34af2f636
+Top:    574b1f3ead78e44f9134dc32d8cb5ccf08eeb941
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:01 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..11c9dc7 100644
+index 2f10fcd..4afa104 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
 @@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
@@ -188,12 +188,14 @@ index 2f10fcd..11c9dc7 100644
  The @code{strfmon} function is similar to the @code{strftime} function
  in that it takes a buffer, its size, a format string,
  and values to write into the buffer as text in a form specified
-@@ -1185,6 +1329,8 @@ access to the corresponding locale definitions.
+@@ -1185,6 +1329,10 @@ access to the corresponding locale definitions.
  @comment GNU
  @comment stdlib.h
  @deftypefun int rpmatch (const char *@var{response})
-+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
-+@c regfree, regcomp and regexec.
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale, but
++@c it's regcomp and regexec that bring in all of the safety issues.
++@c regfree is also called, but it doesn't introduce any further issues.
  The function @code{rpmatch} checks the string in @var{response} whether
  or not it is a correct yes-or-no answer and if yes, which one.  The
  check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0a7907b63c6a66c7e414744103819d7f8366771e

commit 0a7907b63c6a66c7e414744103819d7f8366771e
Merge: e839210 0e6cf8b dbb3da2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:45:06 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e83921077a06a7f7a7ac99e91331ca75fdb6ad54

commit e83921077a06a7f7a7ac99e91331ca75fdb6ad54
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:45:06 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index a09e1c7..629a4c4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 8620221110d5cce755f0bc92af6422aa916ca8bb
-Head: fe706bad5be70be468054c3d603d2026477c8e9b
+Previous: 0e6cf8b865cd53052d4ecb71f3d21a2efd6d6c26
+Head: dbb3da270a19fb43d667c13537697660a656c235
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -30,5 +30,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: eafe2b5006176bc49e35cfcd3e4e15ea5a1457d7
   wip-manual-document-mt-safety-time.patch: 23fab67522c5b3d91610013fb2c8562cf7ec3169
   wip-manual-document-mt-safety-locale.patch: fe706bad5be70be468054c3d603d2026477c8e9b
+  refresh-temp: dbb3da270a19fb43d667c13537697660a656c235
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..3b00500
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,26 @@
+Bottom: e8b652117ea1b56a1869c44cc40594c34af2f636
+Top:    574b1f3ead78e44f9134dc32d8cb5ccf08eeb941
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 12:45:06 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index 11c9dc7..4afa104 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -1329,8 +1329,10 @@ access to the corresponding locale definitions.
+ @comment GNU
+ @comment stdlib.h
+ @deftypefun int rpmatch (const char *@var{response})
+-@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
+-@c regfree, regcomp and regexec.
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale, but
++@c it's regcomp and regexec that bring in all of the safety issues.
++@c regfree is also called, but it doesn't introduce any further issues.
+ The function @code{rpmatch} checks the string in @var{response} whether
+ or not it is a correct yes-or-no answer and if yes, which one.  The
+ check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dbb3da270a19fb43d667c13537697660a656c235

commit dbb3da270a19fb43d667c13537697660a656c235
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:45:06 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index 11c9dc7..4afa104 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -1329,8 +1329,10 @@ access to the corresponding locale definitions.
 @comment GNU
 @comment stdlib.h
 @deftypefun int rpmatch (const char *@var{response})
-@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
-@c regfree, regcomp and regexec.
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale, but
+@c it's regcomp and regexec that bring in all of the safety issues.
+@c regfree is also called, but it doesn't introduce any further issues.
 The function @code{rpmatch} checks the string in @var{response} whether
 or not it is a correct yes-or-no answer and if yes, which one.  The
 check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0e6cf8b865cd53052d4ecb71f3d21a2efd6d6c26

commit 0e6cf8b865cd53052d4ecb71f3d21a2efd6d6c26
Merge: fdb8679 8620221 fe706ba
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:35 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fdb867912c15762fce03f47eb8279235f617d620

commit fdb867912c15762fce03f47eb8279235f617d620
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:35 2013 -0300

    push

diff --git a/meta b/meta
index fb37d51..a09e1c7 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 38b88191060bafc589e7c0d4927b9398a5be2aac
-Head: 9d8222797fb192c47f61ef2756ba9bf721caed9d
+Previous: 8620221110d5cce755f0bc92af6422aa916ca8bb
+Head: fe706bad5be70be468054c3d603d2026477c8e9b
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -22,13 +22,13 @@ Applied:
   manual-document-mt-safety-stdio.patch: 63ec6cc0ec5f71f1e34e18def7b86eda75a61ce8
   wip-manual-document-mt-safety-math.patch: db9625097d5f7d73d8ba1e10cf6a592ef525404f
   wip-manual-document-mt-safety-pattern.patch: 9d8222797fb192c47f61ef2756ba9bf721caed9d
+  wip-manual-document-mt-safety-resource.patch: ea9df22bfd43daf99bbcadfa546e4989e0bec7ea
+  wip-manual-document-mt-safety-startup.patch: 774b847dc98387e90b576162ae3037de3f804693
+  wip-manual-document-mt-safety-search.patch: 33ed2f703bf905ac3dbb8beadda4548fb8ec09d2
+  wip-manual-document-mt-safety-string.patch: b821402693242076cefaf22a0d5f04c48fedd3d0
+  wip-manual-document-mt-safety-terminal.patch: 21de0b6010d4445b2194624a4776886fcf61f982
+  wip-manual-document-mt-safety-threads.patch: eafe2b5006176bc49e35cfcd3e4e15ea5a1457d7
+  wip-manual-document-mt-safety-time.patch: 23fab67522c5b3d91610013fb2c8562cf7ec3169
+  wip-manual-document-mt-safety-locale.patch: fe706bad5be70be468054c3d603d2026477c8e9b
 Unapplied:
-  wip-manual-document-mt-safety-resource.patch: dcd90718c551e61f1cbeab38fa4363d8a7a32bd2
-  wip-manual-document-mt-safety-startup.patch: 230f153ea88ba8ed2cb29f2e2ef3cc40951f6225
-  wip-manual-document-mt-safety-search.patch: 5e0862c9507f9dc42f539d580c22b31cc9feb8df
-  wip-manual-document-mt-safety-string.patch: 18ca074b1729953c82b2ccfbe825c115d2e92612
-  wip-manual-document-mt-safety-terminal.patch: fe3192904116fc22495af608394faa50f46a1da0
-  wip-manual-document-mt-safety-threads.patch: 0130f8b910297080deea57ff964d8984d8d8df56
-  wip-manual-document-mt-safety-time.patch: 3a43e38278e86406b56895d8bf3b3040b0c1ebbb
-  wip-manual-document-mt-safety-locale.patch: e20d050989275a4938846e2098120ac93bb27b73
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index d7b5c64..c330fb8 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 3c7783bfe7de272998ff4b6668ff58fb27d5195e
-Top:    c5756e591f2df4db2169921a9937ae43e5dd0515
+Bottom: 7f940b008b7f2743c4684dd4fcac50b2e707388b
+Top:    e8b652117ea1b56a1869c44cc40594c34af2f636
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:01 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index d6f39ef..4a933c4 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 1edf7473ed3adfbf39a7390aa6530490cabd4b27
-Top:    1af05f5ff3de999f0b097ad6ce65923b3cdc2986
+Bottom: e9dc853cd4e0bf04e89587ca842442a911baed92
+Top:    ffd5cfff82d2353229204337d172ca6232c502d5
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 3153fc6..ae3f846 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 3a4ad95549c1eb22a0990741b208dcf7f9df2109
-Top:    a15b9967cd628c7e743a12baa7c51939942c7221
+Bottom: 2f7ecd5a953ea11aa3294ac487aa5f53c941a28a
+Top:    da16f2d144f592ae1c849bcff6b273474b94d60c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 1777e85..ec93026 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 1af05f5ff3de999f0b097ad6ce65923b3cdc2986
-Top:    3a4ad95549c1eb22a0990741b208dcf7f9df2109
+Bottom: ffd5cfff82d2353229204337d172ca6232c502d5
+Top:    2f7ecd5a953ea11aa3294ac487aa5f53c941a28a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index b2366af..f01c56b 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: a15b9967cd628c7e743a12baa7c51939942c7221
-Top:    a93874fc96e3fc2953e3dbc25075e40aed26e303
+Bottom: da16f2d144f592ae1c849bcff6b273474b94d60c
+Top:    d48407311de1aa694a411ebc9cc94142760cb765
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index d2d2e45..a90b426 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: a93874fc96e3fc2953e3dbc25075e40aed26e303
-Top:    5feb2a01420811fae094f7c765bf93748917c28a
+Bottom: d48407311de1aa694a411ebc9cc94142760cb765
+Top:    1c64962cf5d20e506eff6118547fd4edf52ad63a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 858f0f5..bee22e1 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 5feb2a01420811fae094f7c765bf93748917c28a
-Top:    c2d062247b8bc834da6c82aa7cfd32a9bd64b195
+Bottom: 1c64962cf5d20e506eff6118547fd4edf52ad63a
+Top:    3cfff0bb2a5e937f8fe10f3c1a9b77ca1b079659
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 1db2359..f2267fc 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: c2d062247b8bc834da6c82aa7cfd32a9bd64b195
-Top:    3c7783bfe7de272998ff4b6668ff58fb27d5195e
+Bottom: 3cfff0bb2a5e937f8fe10f3c1a9b77ca1b079659
+Top:    7f940b008b7f2743c4684dd4fcac50b2e707388b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4214cb36d3708ec427b9de7324c804d24d9c3552

commit 4214cb36d3708ec427b9de7324c804d24d9c3552
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:01 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..4afa104 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
@@ -414,6 +545,10 @@ according to the selected locale using this information.
 @comment locale.h
 @comment ISO
 @deftypefun {struct lconv *} localeconv (void)
+@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
+@c This function reads from multiple components of the locale object,
+@c without synchronization, while writing to the static buffer it uses
+@c as the return value.
 The @code{localeconv} function returns a pointer to a structure whose
 components contain information about how numeric and monetary values
 should be formatted in the current locale.
@@ -680,6 +815,10 @@ was introduced.
 @comment langinfo.h
 @comment XOPEN
 @deftypefun {char *} nl_langinfo (nl_item @var{item})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c It calls _nl_langinfo_l with the current locale, which returns a
+@c pointer into constant strings defined in locale data structures.  It
+@c doesn't run afoul of glocale itself, but callers may.
 The @code{nl_langinfo} function can be used to access individual
 elements of the locale categories.  Unlike the @code{localeconv}
 function, which returns all the information, @code{nl_langinfo}
@@ -974,6 +1113,11 @@ locale information, making it easier for the user to format
 numbers according to these rules.
 
 @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
+@c locale object passed to it, accesses the active locale through
+@c isdigit (but to_digit assumes ASCII digits only).  It may call
+@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
 The @code{strfmon} function is similar to the @code{strftime} function
 in that it takes a buffer, its size, a format string,
 and values to write into the buffer as text in a form specified
@@ -1185,6 +1329,10 @@ access to the corresponding locale definitions.
 @comment GNU
 @comment stdlib.h
 @deftypefun int rpmatch (const char *@var{response})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale, but
+@c it's regcomp and regexec that bring in all of the safety issues.
+@c regfree is also called, but it doesn't introduce any further issues.
 The function @code{rpmatch} checks the string in @var{response} whether
 or not it is a correct yes-or-no answer and if yes, which one.  The
 check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fe706bad5be70be468054c3d603d2026477c8e9b

commit fe706bad5be70be468054c3d603d2026477c8e9b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:01 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..11c9dc7 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
@@ -414,6 +545,10 @@ according to the selected locale using this information.
 @comment locale.h
 @comment ISO
 @deftypefun {struct lconv *} localeconv (void)
+@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
+@c This function reads from multiple components of the locale object,
+@c without synchronization, while writing to the static buffer it uses
+@c as the return value.
 The @code{localeconv} function returns a pointer to a structure whose
 components contain information about how numeric and monetary values
 should be formatted in the current locale.
@@ -680,6 +815,10 @@ was introduced.
 @comment langinfo.h
 @comment XOPEN
 @deftypefun {char *} nl_langinfo (nl_item @var{item})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c It calls _nl_langinfo_l with the current locale, which returns a
+@c pointer into constant strings defined in locale data structures.  It
+@c doesn't run afoul of glocale itself, but callers may.
 The @code{nl_langinfo} function can be used to access individual
 elements of the locale categories.  Unlike the @code{localeconv}
 function, which returns all the information, @code{nl_langinfo}
@@ -974,6 +1113,11 @@ locale information, making it easier for the user to format
 numbers according to these rules.
 
 @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
+@c locale object passed to it, accesses the active locale through
+@c isdigit (but to_digit assumes ASCII digits only).  It may call
+@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
 The @code{strfmon} function is similar to the @code{strftime} function
 in that it takes a buffer, its size, a format string,
 and values to write into the buffer as text in a form specified
@@ -1185,6 +1329,8 @@ access to the corresponding locale definitions.
 @comment GNU
 @comment stdlib.h
 @deftypefun int rpmatch (const char *@var{response})
+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
+@c regfree, regcomp and regexec.
 The function @code{rpmatch} checks the string in @var{response} whether
 or not it is a correct yes-or-no answer and if yes, which one.  The
 check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=23fab67522c5b3d91610013fb2c8562cf7ec3169

commit 23fab67522c5b3d91610013fb2c8562cf7ec3169
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=eafe2b5006176bc49e35cfcd3e4e15ea5a1457d7

commit eafe2b5006176bc49e35cfcd3e4e15ea5a1457d7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=21de0b6010d4445b2194624a4776886fcf61f982

commit 21de0b6010d4445b2194624a4776886fcf61f982
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b821402693242076cefaf22a0d5f04c48fedd3d0

commit b821402693242076cefaf22a0d5f04c48fedd3d0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 2a164a9..b63a849 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,9 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Calls strcoll_l with the current locale, which dereferences only the
+@c LC_COLLATE data pointer.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1351,6 +1361,8 @@ collating sequence of the current locale for collation (the
 @comment wchar.h
 @comment ISO
 @deftypefun int wcscoll (const wchar_t *@var{ws1}, const wchar_t *@var{ws2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Same as strcoll, but calling wcscoll_l.
 The @code{wcscoll} function is similar to @code{wcscmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1649,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1691,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2689,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=33ed2f703bf905ac3dbb8beadda4548fb8ec09d2

commit 33ed2f703bf905ac3dbb8beadda4548fb8ec09d2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=774b847dc98387e90b576162ae3037de3f804693

commit 774b847dc98387e90b576162ae3037de3f804693
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ea9df22bfd43daf99bbcadfa546e4989e0bec7ea

commit ea9df22bfd43daf99bbcadfa546e4989e0bec7ea
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8620221110d5cce755f0bc92af6422aa916ca8bb

commit 8620221110d5cce755f0bc92af6422aa916ca8bb
Merge: ebe6a3c 9d82227 38b8819
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:31 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ebe6a3c6eeb76381b8b2497cb3fdb2c0d1f3ebb5

commit ebe6a3c6eeb76381b8b2497cb3fdb2c0d1f3ebb5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:31 2013 -0300

    float

diff --git a/meta b/meta
index b3559cf..fb37d51 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 124e141587a6c8e3ef9d9827e564fda0fd391213
-Head: db9625097d5f7d73d8ba1e10cf6a592ef525404f
+Previous: 38b88191060bafc589e7c0d4927b9398a5be2aac
+Head: 9d8222797fb192c47f61ef2756ba9bf721caed9d
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -21,6 +21,7 @@ Applied:
   manual-document-mt-safety-llio.patch: 97db8a779b727d321dc9cf106a644fa761073224
   manual-document-mt-safety-stdio.patch: 63ec6cc0ec5f71f1e34e18def7b86eda75a61ce8
   wip-manual-document-mt-safety-math.patch: db9625097d5f7d73d8ba1e10cf6a592ef525404f
+  wip-manual-document-mt-safety-pattern.patch: 9d8222797fb192c47f61ef2756ba9bf721caed9d
 Unapplied:
   wip-manual-document-mt-safety-resource.patch: dcd90718c551e61f1cbeab38fa4363d8a7a32bd2
   wip-manual-document-mt-safety-startup.patch: 230f153ea88ba8ed2cb29f2e2ef3cc40951f6225
@@ -30,5 +31,4 @@ Unapplied:
   wip-manual-document-mt-safety-threads.patch: 0130f8b910297080deea57ff964d8984d8d8df56
   wip-manual-document-mt-safety-time.patch: 3a43e38278e86406b56895d8bf3b3040b0c1ebbb
   wip-manual-document-mt-safety-locale.patch: e20d050989275a4938846e2098120ac93bb27b73
-  wip-manual-document-mt-safety-pattern.patch: 8208554d81801665bf30d80e86a9d43b6036428d
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-pattern.patch b/patches/wip-manual-document-mt-safety-pattern.patch
index aa25e62..3e44fe7 100644
--- a/patches/wip-manual-document-mt-safety-pattern.patch
+++ b/patches/wip-manual-document-mt-safety-pattern.patch
@@ -1,5 +1,5 @@
-Bottom: c5756e591f2df4db2169921a9937ae43e5dd0515
-Top:    e8b652117ea1b56a1869c44cc40594c34af2f636
+Bottom: 1edf7473ed3adfbf39a7390aa6530490cabd4b27
+Top:    e9dc853cd4e0bf04e89587ca842442a911baed92
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 03:02:58 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9d8222797fb192c47f61ef2756ba9bf721caed9d

commit 9d8222797fb192c47f61ef2756ba9bf721caed9d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/pattern.texi: Document thread safety properties.

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 1966f3f..da2c8b6 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -736,6 +736,251 @@ expression into it by calling @code{regcomp}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c All of the issues have to do with memory allocation and multi-byte 
+@c character handling present in the input string, or implied by ranges
+@c or inverted character classes.
+@c (re_)malloc asmalloc, memleak
+@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
+@c    callers that don't zero the buffer)
+@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   (re_)malloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c   _NL_CURRENT ok
+@c   _NL_CURRENT_WORD ok
+@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  libc_lock_init ok
+@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_construct_common ok
+@c   re_string_realloc_buffers asmalloc, memleak
+@c    (re_)realloc dup asmalloc, memleak
+@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    isascii ok
+@c    mbsinit ok
+@c    toupper ok
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    iswlower glocale
+@c    towupper glocale
+@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    (re_)malloc dup asmalloc, memleak
+@c   build_upper_buffer ok (glocale, but optimized)
+@c    islower ok
+@c    toupper ok
+@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_translate_buffer ok
+@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    peek_token ok (maybe glocale)
+@c     re_string_eoi ok
+@c     re_string_peek_byte ok
+@c     re_string_cur_idx ok
+@c     re_string_length ok
+@c     re_string_peek_byte_case ok (maybe glocale)
+@c      re_string_peek_byte dup ok
+@c      re_string_is_single_byte_char ok
+@c      isascii ok
+@c      re_string_peek_byte dup ok
+@c     re_string_wchar_at ok
+@c     re_string_skip_bytes ok
+@c    re_string_skip_bytes dup ok
+@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_token_tree dup asmalloc, memleak
+@c      re_string_eoi dup ok
+@c      re_string_first_byte ok
+@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_tree dup asmalloc, memleak
+@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       postorder() asmalloc, memleak
+@c        free_tree asmalloc, memleak
+@c         free_token dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       _NL_CURRENT dup ok
+@c       _NL_CURRENT_WORD dup ok
+@c       calloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       peek_token_bracket ok
+@c        re_string_eoi dup ok
+@c        re_string_peek_byte dup ok
+@c        re_string_first_byte dup ok
+@c        re_string_cur_idx dup ok
+@c        re_string_length dup ok
+@c        re_string_skip_bytes dup ok
+@c       bitset_set ok
+@c       re_string_skip_bytes ok
+@c       parse_bracket_element ok (maybe glocale)
+@c        re_string_char_size_at ok
+@c        re_string_wchar_at dup ok
+@c        re_string_skip_bytes dup ok
+@c        parse_bracket_symbol ok (maybe glocale)
+@c         re_string_eoi dup ok
+@c         re_string_fetch_byte_case ok (maybe glocale)
+@c          re_string_fetch_byte ok
+@c          re_string_first_byte dup ok
+@c          isascii ok
+@c          re_string_char_size_at dup ok
+@c          re_string_skip_bytes dup ok
+@c         re_string_fetch_byte dup ok
+@c         re_string_peek_byte dup ok
+@c         re_string_skip_bytes dup ok
+@c        peek_token_bracket dup ok
+@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         collseq_table_lookup ok
+@c         auto seek_collating_symbol_entry dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c        collseq_table_lookup dup ok
+@c       bitset_set dup ok
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_equiv_class (maybe glocale), asmalloc, memleak
+@c        _NL_CURRENT ok
+@c        auto findidx ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       auto build_collating_symbol asmalloc, memleak
+@c        auto seek_collating_symbol_entry ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       build_charclass (maybe glocale), asmalloc, memleak
+@c        (re_)realloc dup asmalloc, memleak
+@c        bitset_set dup ok
+@c        isalnum ok
+@c        iscntrl ok
+@c        isspace ok
+@c        isalpha ok
+@c        isdigit ok
+@c        isprint ok
+@c        isupper ok
+@c        isblank ok
+@c        isgraph ok
+@c        ispunct ok
+@c        isxdigit ok
+@c       bitset_not ok
+@c       bitset_mask ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c      init_word_char (maybe glocale)
+@c       isalnum ok
+@c      build_charclass_op (maybe glocale), asmalloc, memleak
+@c       calloc dup asmalloc, memleak
+@c       build_charclass dup (maybe glocale), asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c       bitset_set dup ok
+@c       bitset_not dup ok
+@c       bitset_mask dup ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_cur_idx dup ok
+@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_set_index ok
+@c       postorder() asmalloc, memleak
+@c        free_tree dup asmalloc, memleak
+@c        mark_opt_subexp ok
+@c       duplicate_tree asmalloc, memleak
+@c        create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c     postorder() asmalloc, memleak
+@c      free_tree dup asmalloc, memleak
+@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    create_tree dup asmalloc, memleak
+@c   create_tree asmalloc, memleak
+@c    create_token_tree asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c  analyze asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   preorder() asmalloc, memleak
+@c    optimize_subexps ok
+@c    calc_next ok
+@c    link_nfa_nodes asmalloc, memleak
+@c     re_node_set_init_1 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_2 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c   postorder() asmalloc, memleak
+@c    lower_subexps asmalloc, memleak
+@c     lower_subexp asmalloc, memleak
+@c      create_tree dup asmalloc, memleak
+@c    calc_first asmalloc, memleak
+@c     re_dfa_add_node asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c      re_node_set_init_empty ok
+@c   calc_eclosure asmalloc, memleak
+@c    calc_eclosure_iter asmalloc, memleak
+@c     re_node_set_alloc asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     duplicate_node_closure asmalloc, memleak
+@c      re_node_set_empty ok
+@c      duplicate_node asmalloc, memleak
+@c       re_dfa_add_node dup asmalloc, memleak
+@c      re_node_set_insert asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c      search_duplicated_node ok
+@c     re_node_set_merge asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c     re_node_set_free asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     re_node_set_insert dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   calc_inveclosure asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c    re_node_set_insert_last asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c  optimize_utf8 ok
+@c  create_initial_state asmalloc, memleak
+@c   re_node_set_init_copy asmalloc, memleak
+@c    (re_)malloc dup asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c   re_node_set_contains ok
+@c   re_node_set_merge dup asmalloc, memleak
+@c   re_acquire_state_context asmalloc, memleak
+@c    calc_state_hash ok
+@c    re_node_set_compare ok
+@c    create_cd_newstate asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c     free_state asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     NOT_SATISFY_PREV_CONSTRAINT ok
+@c     re_node_set_remove_at ok
+@c     register_state asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_insert_last dup asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c  free_workarea_compile asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  free_dfa_content asmalloc, memleak
+@c   free_token asmalloc, memleak
+@c    free_charset asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_set_fastmap ok
+@c    tolower ok
+@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   towlower glocale
+@c   _NL_CURRENT ok
+@c (re_)free asmalloc, memleak
 The function @code{regcomp} ``compiles'' a regular expression into a
 data structure that you can use with @code{regexec} to match against a
 string.  The compiled regular expression format is designed for
@@ -885,6 +1130,247 @@ unless the regular expression contains anchor characters (@samp{^} or
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c libc_lock_lock selfdeadlock, lockleak
+@c re_search_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_string_allocate asmalloc, memleak
+@c   re_string_construct_common dup ok
+@c   re_string_realloc_buffers dup asmalloc, memleak
+@c  match_ctx_init asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c  re_string_byte_at ok
+@c  re_string_first_byte dup ok
+@c  check_matching glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_cur_idx dup ok
+@c   acquire_init_state_context dup asmalloc, memleak
+@c    re_string_context_at ok
+@c     re_string_byte_at dup ok
+@c     bitset_contain ok
+@c    re_acquire_state_context dup asmalloc, memleak
+@c   check_subexp_matching_top asmalloc, memleak
+@c    match_ctx_add_subtop asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c   transit_state_bkref glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    re_string_cur_idx dup ok
+@c    re_string_context_at dup ok
+@c    NOT_SATISFY_NEXT_CONSTRAINT ok
+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_string_get_buffer ok
+@c     search_cur_bkref_entry ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_realloc_buffers dup asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       build_upper_buffer dup ok (glocale, but optimized)
+@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_translate_buffer dup ok
+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       re_string_context_at dup ok
+@c       re_node_set_init_1 dup asmalloc, memleak
+@c       check_arrival_expand_ecl asmalloc, memleak
+@c        re_node_set_alloc dup asmalloc, memleak
+@c        find_subexp_node ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        check_arrival_expand_ecl_sub asmalloc, memleak
+@c         re_node_set_contains dup ok
+@c         re_node_set_insert dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_init_copy dup asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       expand_bkref_cache asmalloc, memleak
+@c        search_cur_bkref_entry dup ok
+@c        re_node_set_contains dup ok
+@c        re_node_set_init_1 dup asmalloc, memleak
+@c        check_arrival_expand_ecl dup asmalloc, memleak
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_init_copy dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_acquire_state asmalloc, memleak
+@c         calc_state_hash dup ok
+@c         re_node_set_compare dup ok
+@c         create_ci_newstate asmalloc, memleak
+@c          calloc dup asmalloc, memleak
+@c          re_node_set_init_copy dup asmalloc, memleak
+@c          (re_)free dup asmalloc, memleak
+@c          register_state dup asmalloc, memleak
+@c          free_state dup asmalloc, memleak
+@c       re_acquire_state_context dup asmalloc, memleak
+@c       re_node_set_merge dup asmalloc, memleak
+@c       check_arrival_add_next_nodes glocale, asmalloc, memleak
+@c        re_node_set_init_empty dup ok
+@c        check_node_accept_bytes glocale, asmalloc, memleak
+@c         re_string_byte_at dup ok
+@c         re_string_char_size_at dup ok
+@c         re_string_elem_size_at (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c          auto findidx dup ok
+@c         _NL_CURRENT_WORD dup ok
+@c         _NL_CURRENT dup ok
+@c         collseq_table_lookup dup ok
+@c         find_collation_sequence_value (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c         auto findidx dup ok
+@c         wcscoll glocale, asmalloc, memleak
+@c        re_node_set_empty dup ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_acquire_state dup asmalloc, memleak
+@c        check_node_accept ok
+@c         re_string_byte_at dup ok
+@c         bitset_contain dup ok
+@c         re_string_context_at dup ok
+@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c      match_ctx_add_entry asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     find_subexp_node dup ok
+@c     calloc dup asmalloc, memleak
+@c     check_arrival dup ***
+@c     match_ctx_add_sublast asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c    re_acquire_state_context dup asmalloc, memleak
+@c    re_node_set_init_union asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     re_node_set_init_empty dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top dup asmalloc, memleak
+@c   check_halt_state_context ok
+@c    re_string_context_at dup ok
+@c    check_halt_node_context ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c   re_string_eoi dup ok
+@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   transit_state glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    transit_state_mb glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_string_context_at dup ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c     check_node_accept_bytes dup glocale, asmalloc, memleak
+@c     re_string_cur_idx dup ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_node_set_init_union dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c    re_string_fetch_byte dup ok
+@c    re_string_context_at dup ok
+@c    build_trtable asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     group_nodes_into_DFAstates asmalloc, memleak
+@c      bitset_empty dup ok
+@c      bitset_set dup ok
+@c      bitset_merge dup ok
+@c      bitset_set_all ok
+@c      bitset_clear ok
+@c      bitset_contain dup ok
+@c      bitset_copy ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      re_node_set_init_1 dup asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c     re_node_set_alloc dup asmalloc, memleak
+@c     malloc dup asmalloc, memleak
+@c     free dup asmalloc, memleak
+@c     re_node_set_free dup asmalloc, memleak
+@c     bitset_empty ok
+@c     re_node_set_empty dup ok
+@c     re_node_set_merge dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c     bitset_merge ok
+@c     calloc dup asmalloc, memleak
+@c     bitset_contain dup ok
+@c   merge_state_with_log glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    re_string_cur_idx dup ok
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_string_context_at dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top asmalloc, memleak
+@c     match_ctx_add_subtop dup asmalloc, memleak
+@c    transit_state_bkref dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   find_recover_state
+@c    re_string_cur_idx dup ok
+@c    re_string_skip_bytes dup ok
+@c    merge_state_with_log dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  check_halt_state_context dup ok
+@c  prune_impossible_nodes glocale, asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   sift_ctx_init ok
+@c    re_node_set_init_empty dup ok
+@c   sift_states_backward glocale, asmalloc, memleak
+@c    re_node_set_init_1 dup asmalloc, memleak
+@c    update_cur_sifted_state glocale, asmalloc, memleak
+@c     add_epsilon_src_nodes asmalloc, memleak
+@c      re_acquire_state dup asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_merge dup asmalloc, memleak
+@c      re_node_set_add_intersect asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c     check_subexp_limits asmalloc, memleak
+@c      sub_epsilon_src_nodes asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_add_intersect dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_contains dup ok
+@c     re_acquire_state dup asmalloc, memleak
+@c     sift_states_bkref glocale, asmalloc, memleak
+@c      search_cur_bkref_entry dup ok
+@c      check_dst_limits ok
+@c       search_cur_bkref_entry dup ok
+@c       check_dst_limits_calc_pos ok
+@c        check_dst_limits_calc_pos_1 ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      sift_states_backward dup glocale, asmalloc, memleak
+@c      merge_state_array dup asmalloc, memleak
+@c      re_node_set_remove ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_free dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    re_node_set_empty dup ok
+@c    build_sifted_states glocale, asmalloc, memleak
+@c     sift_states_iter_mb glocale, asmalloc, memleak
+@c      check_node_accept_bytes dup glocale, asmalloc, memleak
+@c     check_node_accept dup ok
+@c     check_dst_limits dup ok
+@c     re_node_set_insert dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c   check_halt_state_context dup ok
+@c   merge_state_array asmalloc, memleak
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_acquire_state dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  set_regs asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   re_node_set_init_empty dup ok
+@c   free_fail_stack_return asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   update_regs ok
+@c   re_node_set_free dup asmalloc, memleak
+@c   pop_fail_stack asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  (re_)free dup asmalloc, memleak
+@c  match_ctx_free asmalloc, memleak
+@c   match_ctx_clean asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct dup asmalloc, memleak
+@c libc_lock_unlock lockleak
 This function tries to match the compiled regular expression
 @code{*@var{compiled}} against @var{string}.
 
@@ -1047,6 +1533,9 @@ free the storage it uses by calling @code{regfree}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun void regfree (regex_t *@var{compiled})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c (re_)free dup asmalloc, memleak
+@c free_dfa_content dup asmalloc, memleak
 Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
 points to.  This includes various internal fields of the @code{regex_t}
 structure that aren't documented in this manual.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=38b88191060bafc589e7c0d4927b9398a5be2aac

commit 38b88191060bafc589e7c0d4927b9398a5be2aac
Merge: 27dc992 124e141
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:26 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=27dc99269da5c00ff4a8e7d32e2406fa01311c43

commit 27dc99269da5c00ff4a8e7d32e2406fa01311c43
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:26 2013 -0300

    goto

diff --git a/meta b/meta
index 65c3d61..b3559cf 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: c9b9f230ef9957654e167609f80ff8064e6a3026
-Head: 8208554d81801665bf30d80e86a9d43b6036428d
+Previous: 124e141587a6c8e3ef9d9827e564fda0fd391213
+Head: db9625097d5f7d73d8ba1e10cf6a592ef525404f
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -21,6 +21,7 @@ Applied:
   manual-document-mt-safety-llio.patch: 97db8a779b727d321dc9cf106a644fa761073224
   manual-document-mt-safety-stdio.patch: 63ec6cc0ec5f71f1e34e18def7b86eda75a61ce8
   wip-manual-document-mt-safety-math.patch: db9625097d5f7d73d8ba1e10cf6a592ef525404f
+Unapplied:
   wip-manual-document-mt-safety-resource.patch: dcd90718c551e61f1cbeab38fa4363d8a7a32bd2
   wip-manual-document-mt-safety-startup.patch: 230f153ea88ba8ed2cb29f2e2ef3cc40951f6225
   wip-manual-document-mt-safety-search.patch: 5e0862c9507f9dc42f539d580c22b31cc9feb8df
@@ -30,5 +31,4 @@ Applied:
   wip-manual-document-mt-safety-time.patch: 3a43e38278e86406b56895d8bf3b3040b0c1ebbb
   wip-manual-document-mt-safety-locale.patch: e20d050989275a4938846e2098120ac93bb27b73
   wip-manual-document-mt-safety-pattern.patch: 8208554d81801665bf30d80e86a9d43b6036428d
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=124e141587a6c8e3ef9d9827e564fda0fd391213

commit 124e141587a6c8e3ef9d9827e564fda0fd391213
Merge: b81d500 8208554 c9b9f23
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:24 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b81d500b7e174564e85f1fbe28cf53a19681e8c9

commit b81d500b7e174564e85f1fbe28cf53a19681e8c9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:24 2013 -0300

    refresh

diff --git a/meta b/meta
index d96adac..65c3d61 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 088f4ecfd9174e8d26f01c2c8f860183e1adade0
-Head: d4ee0440dd5f7ec044f9e8e9bf0e99de22a9fb07
+Previous: c9b9f230ef9957654e167609f80ff8064e6a3026
+Head: 8208554d81801665bf30d80e86a9d43b6036428d
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -29,7 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: 0130f8b910297080deea57ff964d8984d8d8df56
   wip-manual-document-mt-safety-time.patch: 3a43e38278e86406b56895d8bf3b3040b0c1ebbb
   wip-manual-document-mt-safety-locale.patch: e20d050989275a4938846e2098120ac93bb27b73
-  wip-manual-document-mt-safety-pattern.patch: bbf7743976ec2adddb2f60002a8d591211e8d3c7
-  refresh-temp: d4ee0440dd5f7ec044f9e8e9bf0e99de22a9fb07
+  wip-manual-document-mt-safety-pattern.patch: 8208554d81801665bf30d80e86a9d43b6036428d
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 85df7a2..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,177 +0,0 @@
-Bottom: b58480891cc51f5cdfe4434cd3a40ad48edac192
-Top:    e8b652117ea1b56a1869c44cc40594c34af2f636
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 12:43:23 -0300
-
-Refresh of wip-manual-document-mt-safety-pattern.patch
-
----
-
-diff --git a/manual/pattern.texi b/manual/pattern.texi
-index 4b66204..da2c8b6d2 100644
---- a/manual/pattern.texi
-+++ b/manual/pattern.texi
-@@ -829,7 +829,7 @@ expression into it by calling @code{regcomp}.
- @c         re_string_fetch_byte dup ok
- @c         re_string_peek_byte dup ok
- @c         re_string_skip_bytes dup ok
--@c        peek_token_bracket dup
-+@c        peek_token_bracket dup ok
- @c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-@@ -1130,8 +1130,9 @@ unless the regular expression contains anchor characters (@samp{^} or
- @comment regex.h
- @comment POSIX.2
- @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- @c libc_lock_lock selfdeadlock, lockleak
--@c re_search_internal
-+@c re_search_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c  re_string_allocate asmalloc, memleak
- @c   re_string_construct_common dup ok
- @c   re_string_realloc_buffers dup asmalloc, memleak
-@@ -1139,7 +1140,7 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c   (re_)malloc dup asmalloc, memleak
- @c  re_string_byte_at ok
- @c  re_string_first_byte dup ok
--@c  check_matching
-+@c  check_matching glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c   re_string_cur_idx dup ok
- @c   acquire_init_state_context dup asmalloc, memleak
- @c    re_string_context_at ok
-@@ -1150,11 +1151,11 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c    match_ctx_add_subtop asmalloc, memleak
- @c     (re_)realloc dup asmalloc, memleak
- @c     calloc dup asmalloc, memleak
--@c   transit_state_bkref
-+@c   transit_state_bkref glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c    re_string_cur_idx dup ok
- @c    re_string_context_at dup ok
- @c    NOT_SATISFY_NEXT_CONSTRAINT ok
--@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
-+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c     re_string_get_buffer ok
- @c     search_cur_bkref_entry ok
- @c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-@@ -1165,8 +1166,8 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c       build_upper_buffer dup ok (glocale, but optimized)
- @c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c       re_string_translate_buffer dup ok
--@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
--@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
-+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c       (re_)realloc dup asmalloc, memleak
- @c       re_string_context_at dup ok
- @c       re_node_set_init_1 dup asmalloc, memleak
-@@ -1201,9 +1202,9 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c          free_state dup asmalloc, memleak
- @c       re_acquire_state_context dup asmalloc, memleak
- @c       re_node_set_merge dup asmalloc, memleak
--@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
-+@c       check_arrival_add_next_nodes glocale, asmalloc, memleak
- @c        re_node_set_init_empty dup ok
--@c        check_node_accept_bytes (maybe glocale), ***wcscoll
-+@c        check_node_accept_bytes glocale, asmalloc, memleak
- @c         re_string_byte_at dup ok
- @c         re_string_char_size_at dup ok
- @c         re_string_elem_size_at (maybe glocale)
-@@ -1217,7 +1218,7 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c          _NL_CURRENT_WORD dup ok
- @c          _NL_CURRENT dup ok
- @c         auto findidx dup ok
--@c         wcscoll ***wcscoll
-+@c         wcscoll glocale, asmalloc, memleak
- @c        re_node_set_empty dup ok
- @c        re_node_set_merge dup asmalloc, memleak
- @c        re_node_set_free dup asmalloc, memleak
-@@ -1233,7 +1234,7 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c       (re_)free dup asmalloc, memleak
- @c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
--@c     find_subexp_node dup
-+@c     find_subexp_node dup ok
- @c     calloc dup asmalloc, memleak
- @c     check_arrival dup ***
- @c     match_ctx_add_sublast asmalloc, memleak
-@@ -1251,11 +1252,11 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
- @c   re_string_eoi dup ok
- @c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
--@c   transit_state
--@c    transit_state_mb
-+@c   transit_state glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c    transit_state_mb glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c     re_string_context_at dup ok
- @c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
--@c     check_node_accept_bytes dup
-+@c     check_node_accept_bytes dup glocale, asmalloc, memleak
- @c     re_string_cur_idx dup ok
- @c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c     re_node_set_init_union dup asmalloc, memleak
-@@ -1287,26 +1288,26 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c     bitset_merge ok
- @c     calloc dup asmalloc, memleak
- @c     bitset_contain dup ok
--@c   merge_state_with_log
-+@c   merge_state_with_log glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c    re_string_cur_idx dup ok
- @c    re_node_set_init_union dup asmalloc, memleak
- @c    re_string_context_at dup ok
- @c    re_node_set_free dup asmalloc, memleak
- @c    check_subexp_matching_top asmalloc, memleak
- @c     match_ctx_add_subtop dup asmalloc, memleak
--@c    transit_state_bkref dup
-+@c    transit_state_bkref dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
- @c   find_recover_state
- @c    re_string_cur_idx dup ok
- @c    re_string_skip_bytes dup ok
--@c    merge_state_with_log dup
--@c  check_halt_state_context dup
--@c  prune_impossible_nodes
-+@c    merge_state_with_log dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c  check_halt_state_context dup ok
-+@c  prune_impossible_nodes glocale, asmalloc, memleak
- @c   (re_)malloc dup asmalloc, memleak
- @c   sift_ctx_init ok
- @c    re_node_set_init_empty dup ok
--@c   sift_states_backward
-+@c   sift_states_backward glocale, asmalloc, memleak
- @c    re_node_set_init_1 dup asmalloc, memleak
--@c    update_cur_sifted_state asmalloc, memleak
-+@c    update_cur_sifted_state glocale, asmalloc, memleak
- @c     add_epsilon_src_nodes asmalloc, memleak
- @c      re_acquire_state dup asmalloc, memleak
- @c      re_node_set_alloc dup asmalloc, memleak
-@@ -1322,7 +1323,7 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c       re_node_set_remove_at dup ok
- @c      re_node_set_contains dup ok
- @c     re_acquire_state dup asmalloc, memleak
--@c     sift_states_bkref asmalloc, memleak
-+@c     sift_states_bkref glocale, asmalloc, memleak
- @c      search_cur_bkref_entry dup ok
- @c      check_dst_limits ok
- @c       search_cur_bkref_entry dup ok
-@@ -1330,7 +1331,7 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c        check_dst_limits_calc_pos_1 ok
- @c      re_node_set_init_copy dup asmalloc, memleak
- @c      re_node_set_insert dup asmalloc, memleak
--@c      sift_states_backward dup
-+@c      sift_states_backward dup glocale, asmalloc, memleak
- @c      merge_state_array dup asmalloc, memleak
- @c      re_node_set_remove ok
- @c       re_node_set_contains dup ok
-@@ -1338,9 +1339,9 @@ unless the regular expression contains anchor characters (@samp{^} or
- @c      re_node_set_free dup asmalloc, memleak
- @c    re_node_set_free dup asmalloc, memleak
- @c    re_node_set_empty dup ok
--@c    build_sifted_states
--@c     sift_states_iter_mb
--@c      check_node_accept_bytes dup
-+@c    build_sifted_states glocale, asmalloc, memleak
-+@c     sift_states_iter_mb glocale, asmalloc, memleak
-+@c      check_node_accept_bytes dup glocale, asmalloc, memleak
- @c     check_node_accept dup ok
- @c     check_dst_limits dup ok
- @c     re_node_set_insert dup asmalloc, memleak
diff --git a/patches/wip-manual-document-mt-safety-pattern.patch b/patches/wip-manual-document-mt-safety-pattern.patch
index ba44429..aa25e62 100644
--- a/patches/wip-manual-document-mt-safety-pattern.patch
+++ b/patches/wip-manual-document-mt-safety-pattern.patch
@@ -1,5 +1,5 @@
 Bottom: c5756e591f2df4db2169921a9937ae43e5dd0515
-Top:    b58480891cc51f5cdfe4434cd3a40ad48edac192
+Top:    e8b652117ea1b56a1869c44cc40594c34af2f636
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 03:02:58 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/pattern.texi b/manual/pattern.texi
-index 1966f3f..4b66204 100644
+index 1966f3f..da2c8b6d2 100644
 --- a/manual/pattern.texi
 +++ b/manual/pattern.texi
 @@ -736,6 +736,251 @@ expression into it by calling @code{regcomp}.
@@ -113,7 +113,7 @@ index 1966f3f..4b66204 100644
 +@c         re_string_fetch_byte dup ok
 +@c         re_string_peek_byte dup ok
 +@c         re_string_skip_bytes dup ok
-+@c        peek_token_bracket dup
++@c        peek_token_bracket dup ok
 +@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
@@ -268,12 +268,13 @@ index 1966f3f..4b66204 100644
  The function @code{regcomp} ``compiles'' a regular expression into a
  data structure that you can use with @code{regexec} to match against a
  string.  The compiled regular expression format is designed for
-@@ -885,6 +1130,246 @@ unless the regular expression contains anchor characters (@samp{^} or
+@@ -885,6 +1130,247 @@ unless the regular expression contains anchor characters (@samp{^} or
  @comment regex.h
  @comment POSIX.2
  @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 +@c libc_lock_lock selfdeadlock, lockleak
-+@c re_search_internal
++@c re_search_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c  re_string_allocate asmalloc, memleak
 +@c   re_string_construct_common dup ok
 +@c   re_string_realloc_buffers dup asmalloc, memleak
@@ -281,7 +282,7 @@ index 1966f3f..4b66204 100644
 +@c   (re_)malloc dup asmalloc, memleak
 +@c  re_string_byte_at ok
 +@c  re_string_first_byte dup ok
-+@c  check_matching
++@c  check_matching glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c   re_string_cur_idx dup ok
 +@c   acquire_init_state_context dup asmalloc, memleak
 +@c    re_string_context_at ok
@@ -292,11 +293,11 @@ index 1966f3f..4b66204 100644
 +@c    match_ctx_add_subtop asmalloc, memleak
 +@c     (re_)realloc dup asmalloc, memleak
 +@c     calloc dup asmalloc, memleak
-+@c   transit_state_bkref
++@c   transit_state_bkref glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c    re_string_cur_idx dup ok
 +@c    re_string_context_at dup ok
 +@c    NOT_SATISFY_NEXT_CONSTRAINT ok
-+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c     re_string_get_buffer ok
 +@c     search_cur_bkref_entry ok
 +@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
@@ -307,8 +308,8 @@ index 1966f3f..4b66204 100644
 +@c       build_upper_buffer dup ok (glocale, but optimized)
 +@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c       re_string_translate_buffer dup ok
-+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
-+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c       (re_)realloc dup asmalloc, memleak
 +@c       re_string_context_at dup ok
 +@c       re_node_set_init_1 dup asmalloc, memleak
@@ -343,9 +344,9 @@ index 1966f3f..4b66204 100644
 +@c          free_state dup asmalloc, memleak
 +@c       re_acquire_state_context dup asmalloc, memleak
 +@c       re_node_set_merge dup asmalloc, memleak
-+@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
++@c       check_arrival_add_next_nodes glocale, asmalloc, memleak
 +@c        re_node_set_init_empty dup ok
-+@c        check_node_accept_bytes (maybe glocale), ***wcscoll
++@c        check_node_accept_bytes glocale, asmalloc, memleak
 +@c         re_string_byte_at dup ok
 +@c         re_string_char_size_at dup ok
 +@c         re_string_elem_size_at (maybe glocale)
@@ -359,7 +360,7 @@ index 1966f3f..4b66204 100644
 +@c          _NL_CURRENT_WORD dup ok
 +@c          _NL_CURRENT dup ok
 +@c         auto findidx dup ok
-+@c         wcscoll ***wcscoll
++@c         wcscoll glocale, asmalloc, memleak
 +@c        re_node_set_empty dup ok
 +@c        re_node_set_merge dup asmalloc, memleak
 +@c        re_node_set_free dup asmalloc, memleak
@@ -375,7 +376,7 @@ index 1966f3f..4b66204 100644
 +@c       (re_)free dup asmalloc, memleak
 +@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c     find_subexp_node dup
++@c     find_subexp_node dup ok
 +@c     calloc dup asmalloc, memleak
 +@c     check_arrival dup ***
 +@c     match_ctx_add_sublast asmalloc, memleak
@@ -393,11 +394,11 @@ index 1966f3f..4b66204 100644
 +@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
 +@c   re_string_eoi dup ok
 +@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c   transit_state
-+@c    transit_state_mb
++@c   transit_state glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    transit_state_mb glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c     re_string_context_at dup ok
 +@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
-+@c     check_node_accept_bytes dup
++@c     check_node_accept_bytes dup glocale, asmalloc, memleak
 +@c     re_string_cur_idx dup ok
 +@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c     re_node_set_init_union dup asmalloc, memleak
@@ -429,26 +430,26 @@ index 1966f3f..4b66204 100644
 +@c     bitset_merge ok
 +@c     calloc dup asmalloc, memleak
 +@c     bitset_contain dup ok
-+@c   merge_state_with_log
++@c   merge_state_with_log glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c    re_string_cur_idx dup ok
 +@c    re_node_set_init_union dup asmalloc, memleak
 +@c    re_string_context_at dup ok
 +@c    re_node_set_free dup asmalloc, memleak
 +@c    check_subexp_matching_top asmalloc, memleak
 +@c     match_ctx_add_subtop dup asmalloc, memleak
-+@c    transit_state_bkref dup
++@c    transit_state_bkref dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 +@c   find_recover_state
 +@c    re_string_cur_idx dup ok
 +@c    re_string_skip_bytes dup ok
-+@c    merge_state_with_log dup
-+@c  check_halt_state_context dup
-+@c  prune_impossible_nodes
++@c    merge_state_with_log dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c  check_halt_state_context dup ok
++@c  prune_impossible_nodes glocale, asmalloc, memleak
 +@c   (re_)malloc dup asmalloc, memleak
 +@c   sift_ctx_init ok
 +@c    re_node_set_init_empty dup ok
-+@c   sift_states_backward
++@c   sift_states_backward glocale, asmalloc, memleak
 +@c    re_node_set_init_1 dup asmalloc, memleak
-+@c    update_cur_sifted_state asmalloc, memleak
++@c    update_cur_sifted_state glocale, asmalloc, memleak
 +@c     add_epsilon_src_nodes asmalloc, memleak
 +@c      re_acquire_state dup asmalloc, memleak
 +@c      re_node_set_alloc dup asmalloc, memleak
@@ -464,7 +465,7 @@ index 1966f3f..4b66204 100644
 +@c       re_node_set_remove_at dup ok
 +@c      re_node_set_contains dup ok
 +@c     re_acquire_state dup asmalloc, memleak
-+@c     sift_states_bkref asmalloc, memleak
++@c     sift_states_bkref glocale, asmalloc, memleak
 +@c      search_cur_bkref_entry dup ok
 +@c      check_dst_limits ok
 +@c       search_cur_bkref_entry dup ok
@@ -472,7 +473,7 @@ index 1966f3f..4b66204 100644
 +@c        check_dst_limits_calc_pos_1 ok
 +@c      re_node_set_init_copy dup asmalloc, memleak
 +@c      re_node_set_insert dup asmalloc, memleak
-+@c      sift_states_backward dup
++@c      sift_states_backward dup glocale, asmalloc, memleak
 +@c      merge_state_array dup asmalloc, memleak
 +@c      re_node_set_remove ok
 +@c       re_node_set_contains dup ok
@@ -480,9 +481,9 @@ index 1966f3f..4b66204 100644
 +@c      re_node_set_free dup asmalloc, memleak
 +@c    re_node_set_free dup asmalloc, memleak
 +@c    re_node_set_empty dup ok
-+@c    build_sifted_states
-+@c     sift_states_iter_mb
-+@c      check_node_accept_bytes dup
++@c    build_sifted_states glocale, asmalloc, memleak
++@c     sift_states_iter_mb glocale, asmalloc, memleak
++@c      check_node_accept_bytes dup glocale, asmalloc, memleak
 +@c     check_node_accept dup ok
 +@c     check_dst_limits dup ok
 +@c     re_node_set_insert dup asmalloc, memleak
@@ -515,7 +516,7 @@ index 1966f3f..4b66204 100644
  This function tries to match the compiled regular expression
  @code{*@var{compiled}} against @var{string}.
  
-@@ -1047,6 +1532,9 @@ free the storage it uses by calling @code{regfree}.
+@@ -1047,6 +1533,9 @@ free the storage it uses by calling @code{regfree}.
  @comment regex.h
  @comment POSIX.2
  @deftypefun void regfree (regex_t *@var{compiled})

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c9b9f230ef9957654e167609f80ff8064e6a3026

commit c9b9f230ef9957654e167609f80ff8064e6a3026
Merge: 7887c63 088f4ec d4ee044
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:24 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7887c63c7531ed25d8fabe691bca6ea984e6252c

commit 7887c63c7531ed25d8fabe691bca6ea984e6252c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:24 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 3f8d705..d96adac 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 3eb260d75b2037994e4f90ebac51c25c51afded4
-Head: bbf7743976ec2adddb2f60002a8d591211e8d3c7
+Previous: 088f4ecfd9174e8d26f01c2c8f860183e1adade0
+Head: d4ee0440dd5f7ec044f9e8e9bf0e99de22a9fb07
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -30,5 +30,6 @@ Applied:
   wip-manual-document-mt-safety-time.patch: 3a43e38278e86406b56895d8bf3b3040b0c1ebbb
   wip-manual-document-mt-safety-locale.patch: e20d050989275a4938846e2098120ac93bb27b73
   wip-manual-document-mt-safety-pattern.patch: bbf7743976ec2adddb2f60002a8d591211e8d3c7
+  refresh-temp: d4ee0440dd5f7ec044f9e8e9bf0e99de22a9fb07
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..85df7a2
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,177 @@
+Bottom: b58480891cc51f5cdfe4434cd3a40ad48edac192
+Top:    e8b652117ea1b56a1869c44cc40594c34af2f636
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 12:43:23 -0300
+
+Refresh of wip-manual-document-mt-safety-pattern.patch
+
+---
+
+diff --git a/manual/pattern.texi b/manual/pattern.texi
+index 4b66204..da2c8b6d2 100644
+--- a/manual/pattern.texi
++++ b/manual/pattern.texi
+@@ -829,7 +829,7 @@ expression into it by calling @code{regcomp}.
+ @c         re_string_fetch_byte dup ok
+ @c         re_string_peek_byte dup ok
+ @c         re_string_skip_bytes dup ok
+-@c        peek_token_bracket dup
++@c        peek_token_bracket dup ok
+ @c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@@ -1130,8 +1130,9 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @comment regex.h
+ @comment POSIX.2
+ @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ @c libc_lock_lock selfdeadlock, lockleak
+-@c re_search_internal
++@c re_search_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c  re_string_allocate asmalloc, memleak
+ @c   re_string_construct_common dup ok
+ @c   re_string_realloc_buffers dup asmalloc, memleak
+@@ -1139,7 +1140,7 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c   (re_)malloc dup asmalloc, memleak
+ @c  re_string_byte_at ok
+ @c  re_string_first_byte dup ok
+-@c  check_matching
++@c  check_matching glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c   re_string_cur_idx dup ok
+ @c   acquire_init_state_context dup asmalloc, memleak
+ @c    re_string_context_at ok
+@@ -1150,11 +1151,11 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c    match_ctx_add_subtop asmalloc, memleak
+ @c     (re_)realloc dup asmalloc, memleak
+ @c     calloc dup asmalloc, memleak
+-@c   transit_state_bkref
++@c   transit_state_bkref glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c    re_string_cur_idx dup ok
+ @c    re_string_context_at dup ok
+ @c    NOT_SATISFY_NEXT_CONSTRAINT ok
+-@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c     re_string_get_buffer ok
+ @c     search_cur_bkref_entry ok
+ @c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@@ -1165,8 +1166,8 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c       build_upper_buffer dup ok (glocale, but optimized)
+ @c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c       re_string_translate_buffer dup ok
+-@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+-@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c       (re_)realloc dup asmalloc, memleak
+ @c       re_string_context_at dup ok
+ @c       re_node_set_init_1 dup asmalloc, memleak
+@@ -1201,9 +1202,9 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c          free_state dup asmalloc, memleak
+ @c       re_acquire_state_context dup asmalloc, memleak
+ @c       re_node_set_merge dup asmalloc, memleak
+-@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
++@c       check_arrival_add_next_nodes glocale, asmalloc, memleak
+ @c        re_node_set_init_empty dup ok
+-@c        check_node_accept_bytes (maybe glocale), ***wcscoll
++@c        check_node_accept_bytes glocale, asmalloc, memleak
+ @c         re_string_byte_at dup ok
+ @c         re_string_char_size_at dup ok
+ @c         re_string_elem_size_at (maybe glocale)
+@@ -1217,7 +1218,7 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c          _NL_CURRENT_WORD dup ok
+ @c          _NL_CURRENT dup ok
+ @c         auto findidx dup ok
+-@c         wcscoll ***wcscoll
++@c         wcscoll glocale, asmalloc, memleak
+ @c        re_node_set_empty dup ok
+ @c        re_node_set_merge dup asmalloc, memleak
+ @c        re_node_set_free dup asmalloc, memleak
+@@ -1233,7 +1234,7 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c       (re_)free dup asmalloc, memleak
+ @c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+-@c     find_subexp_node dup
++@c     find_subexp_node dup ok
+ @c     calloc dup asmalloc, memleak
+ @c     check_arrival dup ***
+ @c     match_ctx_add_sublast asmalloc, memleak
+@@ -1251,11 +1252,11 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+ @c   re_string_eoi dup ok
+ @c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+-@c   transit_state
+-@c    transit_state_mb
++@c   transit_state glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    transit_state_mb glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c     re_string_context_at dup ok
+ @c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+-@c     check_node_accept_bytes dup
++@c     check_node_accept_bytes dup glocale, asmalloc, memleak
+ @c     re_string_cur_idx dup ok
+ @c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c     re_node_set_init_union dup asmalloc, memleak
+@@ -1287,26 +1288,26 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c     bitset_merge ok
+ @c     calloc dup asmalloc, memleak
+ @c     bitset_contain dup ok
+-@c   merge_state_with_log
++@c   merge_state_with_log glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c    re_string_cur_idx dup ok
+ @c    re_node_set_init_union dup asmalloc, memleak
+ @c    re_string_context_at dup ok
+ @c    re_node_set_free dup asmalloc, memleak
+ @c    check_subexp_matching_top asmalloc, memleak
+ @c     match_ctx_add_subtop dup asmalloc, memleak
+-@c    transit_state_bkref dup
++@c    transit_state_bkref dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+ @c   find_recover_state
+ @c    re_string_cur_idx dup ok
+ @c    re_string_skip_bytes dup ok
+-@c    merge_state_with_log dup
+-@c  check_halt_state_context dup
+-@c  prune_impossible_nodes
++@c    merge_state_with_log dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c  check_halt_state_context dup ok
++@c  prune_impossible_nodes glocale, asmalloc, memleak
+ @c   (re_)malloc dup asmalloc, memleak
+ @c   sift_ctx_init ok
+ @c    re_node_set_init_empty dup ok
+-@c   sift_states_backward
++@c   sift_states_backward glocale, asmalloc, memleak
+ @c    re_node_set_init_1 dup asmalloc, memleak
+-@c    update_cur_sifted_state asmalloc, memleak
++@c    update_cur_sifted_state glocale, asmalloc, memleak
+ @c     add_epsilon_src_nodes asmalloc, memleak
+ @c      re_acquire_state dup asmalloc, memleak
+ @c      re_node_set_alloc dup asmalloc, memleak
+@@ -1322,7 +1323,7 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c       re_node_set_remove_at dup ok
+ @c      re_node_set_contains dup ok
+ @c     re_acquire_state dup asmalloc, memleak
+-@c     sift_states_bkref asmalloc, memleak
++@c     sift_states_bkref glocale, asmalloc, memleak
+ @c      search_cur_bkref_entry dup ok
+ @c      check_dst_limits ok
+ @c       search_cur_bkref_entry dup ok
+@@ -1330,7 +1331,7 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c        check_dst_limits_calc_pos_1 ok
+ @c      re_node_set_init_copy dup asmalloc, memleak
+ @c      re_node_set_insert dup asmalloc, memleak
+-@c      sift_states_backward dup
++@c      sift_states_backward dup glocale, asmalloc, memleak
+ @c      merge_state_array dup asmalloc, memleak
+ @c      re_node_set_remove ok
+ @c       re_node_set_contains dup ok
+@@ -1338,9 +1339,9 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @c      re_node_set_free dup asmalloc, memleak
+ @c    re_node_set_free dup asmalloc, memleak
+ @c    re_node_set_empty dup ok
+-@c    build_sifted_states
+-@c     sift_states_iter_mb
+-@c      check_node_accept_bytes dup
++@c    build_sifted_states glocale, asmalloc, memleak
++@c     sift_states_iter_mb glocale, asmalloc, memleak
++@c      check_node_accept_bytes dup glocale, asmalloc, memleak
+ @c     check_node_accept dup ok
+ @c     check_dst_limits dup ok
+ @c     re_node_set_insert dup asmalloc, memleak

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d4ee0440dd5f7ec044f9e8e9bf0e99de22a9fb07

commit d4ee0440dd5f7ec044f9e8e9bf0e99de22a9fb07
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:43:23 2013 -0300

    Refresh of wip-manual-document-mt-safety-pattern.patch

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 4b66204..da2c8b6 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -829,7 +829,7 @@ expression into it by calling @code{regcomp}.
 @c         re_string_fetch_byte dup ok
 @c         re_string_peek_byte dup ok
 @c         re_string_skip_bytes dup ok
-@c        peek_token_bracket dup
+@c        peek_token_bracket dup ok
 @c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
@@ -1130,8 +1130,9 @@ unless the regular expression contains anchor characters (@samp{^} or
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @c libc_lock_lock selfdeadlock, lockleak
-@c re_search_internal
+@c re_search_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c  re_string_allocate asmalloc, memleak
 @c   re_string_construct_common dup ok
 @c   re_string_realloc_buffers dup asmalloc, memleak
@@ -1139,7 +1140,7 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c   (re_)malloc dup asmalloc, memleak
 @c  re_string_byte_at ok
 @c  re_string_first_byte dup ok
-@c  check_matching
+@c  check_matching glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c   re_string_cur_idx dup ok
 @c   acquire_init_state_context dup asmalloc, memleak
 @c    re_string_context_at ok
@@ -1150,11 +1151,11 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c    match_ctx_add_subtop asmalloc, memleak
 @c     (re_)realloc dup asmalloc, memleak
 @c     calloc dup asmalloc, memleak
-@c   transit_state_bkref
+@c   transit_state_bkref glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c    re_string_cur_idx dup ok
 @c    re_string_context_at dup ok
 @c    NOT_SATISFY_NEXT_CONSTRAINT ok
-@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c     re_string_get_buffer ok
 @c     search_cur_bkref_entry ok
 @c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
@@ -1165,8 +1166,8 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c       build_upper_buffer dup ok (glocale, but optimized)
 @c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c       re_string_translate_buffer dup ok
-@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
-@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c       (re_)realloc dup asmalloc, memleak
 @c       re_string_context_at dup ok
 @c       re_node_set_init_1 dup asmalloc, memleak
@@ -1201,9 +1202,9 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c          free_state dup asmalloc, memleak
 @c       re_acquire_state_context dup asmalloc, memleak
 @c       re_node_set_merge dup asmalloc, memleak
-@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
+@c       check_arrival_add_next_nodes glocale, asmalloc, memleak
 @c        re_node_set_init_empty dup ok
-@c        check_node_accept_bytes (maybe glocale), ***wcscoll
+@c        check_node_accept_bytes glocale, asmalloc, memleak
 @c         re_string_byte_at dup ok
 @c         re_string_char_size_at dup ok
 @c         re_string_elem_size_at (maybe glocale)
@@ -1217,7 +1218,7 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c          _NL_CURRENT_WORD dup ok
 @c          _NL_CURRENT dup ok
 @c         auto findidx dup ok
-@c         wcscoll ***wcscoll
+@c         wcscoll glocale, asmalloc, memleak
 @c        re_node_set_empty dup ok
 @c        re_node_set_merge dup asmalloc, memleak
 @c        re_node_set_free dup asmalloc, memleak
@@ -1233,7 +1234,7 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c       (re_)free dup asmalloc, memleak
 @c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-@c     find_subexp_node dup
+@c     find_subexp_node dup ok
 @c     calloc dup asmalloc, memleak
 @c     check_arrival dup ***
 @c     match_ctx_add_sublast asmalloc, memleak
@@ -1251,11 +1252,11 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
 @c   re_string_eoi dup ok
 @c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-@c   transit_state
-@c    transit_state_mb
+@c   transit_state glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    transit_state_mb glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c     re_string_context_at dup ok
 @c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
-@c     check_node_accept_bytes dup
+@c     check_node_accept_bytes dup glocale, asmalloc, memleak
 @c     re_string_cur_idx dup ok
 @c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c     re_node_set_init_union dup asmalloc, memleak
@@ -1287,26 +1288,26 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c     bitset_merge ok
 @c     calloc dup asmalloc, memleak
 @c     bitset_contain dup ok
-@c   merge_state_with_log
+@c   merge_state_with_log glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c    re_string_cur_idx dup ok
 @c    re_node_set_init_union dup asmalloc, memleak
 @c    re_string_context_at dup ok
 @c    re_node_set_free dup asmalloc, memleak
 @c    check_subexp_matching_top asmalloc, memleak
 @c     match_ctx_add_subtop dup asmalloc, memleak
-@c    transit_state_bkref dup
+@c    transit_state_bkref dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
 @c   find_recover_state
 @c    re_string_cur_idx dup ok
 @c    re_string_skip_bytes dup ok
-@c    merge_state_with_log dup
-@c  check_halt_state_context dup
-@c  prune_impossible_nodes
+@c    merge_state_with_log dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  check_halt_state_context dup ok
+@c  prune_impossible_nodes glocale, asmalloc, memleak
 @c   (re_)malloc dup asmalloc, memleak
 @c   sift_ctx_init ok
 @c    re_node_set_init_empty dup ok
-@c   sift_states_backward
+@c   sift_states_backward glocale, asmalloc, memleak
 @c    re_node_set_init_1 dup asmalloc, memleak
-@c    update_cur_sifted_state asmalloc, memleak
+@c    update_cur_sifted_state glocale, asmalloc, memleak
 @c     add_epsilon_src_nodes asmalloc, memleak
 @c      re_acquire_state dup asmalloc, memleak
 @c      re_node_set_alloc dup asmalloc, memleak
@@ -1322,7 +1323,7 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c       re_node_set_remove_at dup ok
 @c      re_node_set_contains dup ok
 @c     re_acquire_state dup asmalloc, memleak
-@c     sift_states_bkref asmalloc, memleak
+@c     sift_states_bkref glocale, asmalloc, memleak
 @c      search_cur_bkref_entry dup ok
 @c      check_dst_limits ok
 @c       search_cur_bkref_entry dup ok
@@ -1330,7 +1331,7 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c        check_dst_limits_calc_pos_1 ok
 @c      re_node_set_init_copy dup asmalloc, memleak
 @c      re_node_set_insert dup asmalloc, memleak
-@c      sift_states_backward dup
+@c      sift_states_backward dup glocale, asmalloc, memleak
 @c      merge_state_array dup asmalloc, memleak
 @c      re_node_set_remove ok
 @c       re_node_set_contains dup ok
@@ -1338,9 +1339,9 @@ unless the regular expression contains anchor characters (@samp{^} or
 @c      re_node_set_free dup asmalloc, memleak
 @c    re_node_set_free dup asmalloc, memleak
 @c    re_node_set_empty dup ok
-@c    build_sifted_states
-@c     sift_states_iter_mb
-@c      check_node_accept_bytes dup
+@c    build_sifted_states glocale, asmalloc, memleak
+@c     sift_states_iter_mb glocale, asmalloc, memleak
+@c      check_node_accept_bytes dup glocale, asmalloc, memleak
 @c     check_node_accept dup ok
 @c     check_dst_limits dup ok
 @c     re_node_set_insert dup asmalloc, memleak

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=088f4ecfd9174e8d26f01c2c8f860183e1adade0

commit 088f4ecfd9174e8d26f01c2c8f860183e1adade0
Merge: aba41c2 bbf7743 3eb260d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:34:28 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=aba41c25f734d1d81cbdae3e7e33be50d6291e00

commit aba41c25f734d1d81cbdae3e7e33be50d6291e00
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:34:28 2013 -0300

    push

diff --git a/meta b/meta
index 2969a8d..3f8d705 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 86477a8edf0127f256e096762f505b930595ab13
-Head: d11a5f289468002d2e001e32fbc1db8a8ab6004d
+Previous: 3eb260d75b2037994e4f90ebac51c25c51afded4
+Head: bbf7743976ec2adddb2f60002a8d591211e8d3c7
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -14,21 +14,21 @@ Applied:
   manual-document-mt-safety-debug.patch: 1aa7f3b6fc9a8771b43d3adb63e254f8caf5aa5b
   manual-document-mt-safety-errno.patch: 3c03cf246bde895688e98b832b45fcc835a9d2dc
   manual-document-mt-safety-filesys.patch: d11a5f289468002d2e001e32fbc1db8a8ab6004d
+  manual-document-mt-safety-getopt.patch: 31e37cd2c481327f3f02639924b80fded791908f
+  manual-document-mt-safety-libdl.patch: d0718d8b1f3d220eb4f8ffbf095617a5feed49f2
+  manual-document-mt-safety-job.patch: 950462adffbb683bfe87aa0e8e80419c3ebe59f8
+  manual-document-mt-safety-lang.patch: eadd5e24321249b093b22f50057e8396fd887b2d
+  manual-document-mt-safety-llio.patch: 97db8a779b727d321dc9cf106a644fa761073224
+  manual-document-mt-safety-stdio.patch: 63ec6cc0ec5f71f1e34e18def7b86eda75a61ce8
+  wip-manual-document-mt-safety-math.patch: db9625097d5f7d73d8ba1e10cf6a592ef525404f
+  wip-manual-document-mt-safety-resource.patch: dcd90718c551e61f1cbeab38fa4363d8a7a32bd2
+  wip-manual-document-mt-safety-startup.patch: 230f153ea88ba8ed2cb29f2e2ef3cc40951f6225
+  wip-manual-document-mt-safety-search.patch: 5e0862c9507f9dc42f539d580c22b31cc9feb8df
+  wip-manual-document-mt-safety-string.patch: 18ca074b1729953c82b2ccfbe825c115d2e92612
+  wip-manual-document-mt-safety-terminal.patch: fe3192904116fc22495af608394faa50f46a1da0
+  wip-manual-document-mt-safety-threads.patch: 0130f8b910297080deea57ff964d8984d8d8df56
+  wip-manual-document-mt-safety-time.patch: 3a43e38278e86406b56895d8bf3b3040b0c1ebbb
+  wip-manual-document-mt-safety-locale.patch: e20d050989275a4938846e2098120ac93bb27b73
+  wip-manual-document-mt-safety-pattern.patch: bbf7743976ec2adddb2f60002a8d591211e8d3c7
 Unapplied:
-  manual-document-mt-safety-getopt.patch: fdbe248de910c1e7ef9ae9b744eed8d658ac5d29
-  manual-document-mt-safety-libdl.patch: ac5bbc507973eb6ce1cd3b11d0456f31bdbea7d3
-  manual-document-mt-safety-job.patch: 917a111878057a3254a5aae2a9e436e2da0521f2
-  manual-document-mt-safety-lang.patch: 74404662e804550da523e8be4c8cbca7d1df1e4d
-  manual-document-mt-safety-llio.patch: e500e6b451e90bcfa93b9ebc11eee98ff9948da4
-  manual-document-mt-safety-stdio.patch: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
-  wip-manual-document-mt-safety-math.patch: 0666d6743488860ce4130ed89f79bdda045e1559
-  wip-manual-document-mt-safety-resource.patch: e1924a257ca4ba889b69af5907ca22f235fac6c9
-  wip-manual-document-mt-safety-startup.patch: 9c28ed5886790c4874d527aa2a775a299263bad5
-  wip-manual-document-mt-safety-search.patch: 6ff8451b08998b4f998ec7de43aee9148d46f3e5
-  wip-manual-document-mt-safety-string.patch: 80f55c2d25e3968c30f5846ffabc81dedc50f709
-  wip-manual-document-mt-safety-terminal.patch: 178585271fec5719c46b62c1a25f19cd9fd28655
-  wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
-  wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
-  wip-manual-document-mt-safety-locale.patch: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
-  wip-manual-document-mt-safety-pattern.patch: 286fc6e694c6817dda55cebcdac48f49d58232ff
 Hidden:
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index bcdbbf6..7c5d5f3 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: 157f057fc8982c458959738c2a2c8d76e6c12c7e
-Top:    ec1fe87f340be1e74d6dfed9db87effb228b388c
+Bottom: f6c126b4dc97b984cc91ac7d62ba41848149e9bc
+Top:    817c6f30f8e3616b52468c73f41d9f6a37a6e89e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:56 -0300
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index 9cca92e..3905123 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: 5b7b7d31d8b0edd9f840eb090384f78097436481
-Top:    9b155e11463623a6a0bb95400b2498182e34583a
+Bottom: ddc946d17210c5130384fb55efeed7143f007760
+Top:    5300149194f438df3eae0bfb33b9436f847c1b20
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:57 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index b53eeb2..fe88a7d 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: 9b155e11463623a6a0bb95400b2498182e34583a
-Top:    9b7095b69b6581c1fcfb8e18046f496fbc149994
+Bottom: 5300149194f438df3eae0bfb33b9436f847c1b20
+Top:    1a5b7077b01377d6fdec0081ffac9c13cf037009
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:57 -0300
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 02605ec..7c350fa 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: ec1fe87f340be1e74d6dfed9db87effb228b388c
-Top:    5b7b7d31d8b0edd9f840eb090384f78097436481
+Bottom: 817c6f30f8e3616b52468c73f41d9f6a37a6e89e
+Top:    ddc946d17210c5130384fb55efeed7143f007760
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:57 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index f160a84..69cf5e1 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 9b7095b69b6581c1fcfb8e18046f496fbc149994
-Top:    7fe65183ca01afbf35f279fb8a0031a5633d2a1e
+Bottom: 1a5b7077b01377d6fdec0081ffac9c13cf037009
+Top:    dbeae1070d7f82bd45fdd09f92ac8b9617a600a7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:57 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index bb2b074..9a6df66 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 7fe65183ca01afbf35f279fb8a0031a5633d2a1e
-Top:    642718307250c62d80e83e8ad81aafb696296a92
+Bottom: dbeae1070d7f82bd45fdd09f92ac8b9617a600a7
+Top:    f26c5c6c4721a7c34f60aa5f7bc732d04153cd64
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:58 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 6e6dca0..d7b5c64 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 344a5475cfbcc32876fb401e993b1a6146c02663
-Top:    15a8300141ee19f4516dae06220c3f742c3d7c85
+Bottom: 3c7783bfe7de272998ff4b6668ff58fb27d5195e
+Top:    c5756e591f2df4db2169921a9937ae43e5dd0515
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:01 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 3c5a4de..b0d3038 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 642718307250c62d80e83e8ad81aafb696296a92
-Top:    96d250ae32036f1399b1ebae76631dbb2b62738d
+Bottom: f26c5c6c4721a7c34f60aa5f7bc732d04153cd64
+Top:    1edf7473ed3adfbf39a7390aa6530490cabd4b27
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:58 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-pattern.patch b/patches/wip-manual-document-mt-safety-pattern.patch
index b21a30e..ba44429 100644
--- a/patches/wip-manual-document-mt-safety-pattern.patch
+++ b/patches/wip-manual-document-mt-safety-pattern.patch
@@ -1,5 +1,5 @@
-Bottom: 15a8300141ee19f4516dae06220c3f742c3d7c85
-Top:    97c391126dfad97118d4c685597254faf62e03f0
+Bottom: c5756e591f2df4db2169921a9937ae43e5dd0515
+Top:    b58480891cc51f5cdfe4434cd3a40ad48edac192
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 03:02:58 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 50011fd..d6f39ef 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 96d250ae32036f1399b1ebae76631dbb2b62738d
-Top:    eac45389ac7f46a006c5b0650e399877b77691df
+Bottom: 1edf7473ed3adfbf39a7390aa6530490cabd4b27
+Top:    1af05f5ff3de999f0b097ad6ce65923b3cdc2986
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 0ff2c46..3153fc6 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: b6f83a85b4b377bb75e56263833cab93a55fe8aa
-Top:    974b65fdd740c5be01caf8296db702b20af31f6e
+Bottom: 3a4ad95549c1eb22a0990741b208dcf7f9df2109
+Top:    a15b9967cd628c7e743a12baa7c51939942c7221
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 39696d9..1777e85 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: eac45389ac7f46a006c5b0650e399877b77691df
-Top:    b6f83a85b4b377bb75e56263833cab93a55fe8aa
+Bottom: 1af05f5ff3de999f0b097ad6ce65923b3cdc2986
+Top:    3a4ad95549c1eb22a0990741b208dcf7f9df2109
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 40e01f8..b2366af 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 974b65fdd740c5be01caf8296db702b20af31f6e
-Top:    b9bca735e36722eeee271d7923615db34ab3b069
+Bottom: a15b9967cd628c7e743a12baa7c51939942c7221
+Top:    a93874fc96e3fc2953e3dbc25075e40aed26e303
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 2515ce5..d2d2e45 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 4526eb59c2b81d3c38552d73b8bcdcbe825ea516
-Top:    f01ba8b728460fbc54e782ace50ff470524c4f8c
+Bottom: a93874fc96e3fc2953e3dbc25075e40aed26e303
+Top:    5feb2a01420811fae094f7c765bf93748917c28a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index b39e2e9..858f0f5 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: f01ba8b728460fbc54e782ace50ff470524c4f8c
-Top:    8247b1a7d1b5c98f69462719f1ee387fea7ccb9a
+Bottom: 5feb2a01420811fae094f7c765bf93748917c28a
+Top:    c2d062247b8bc834da6c82aa7cfd32a9bd64b195
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 749f456..1db2359 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 8247b1a7d1b5c98f69462719f1ee387fea7ccb9a
-Top:    344a5475cfbcc32876fb401e993b1a6146c02663
+Bottom: c2d062247b8bc834da6c82aa7cfd32a9bd64b195
+Top:    3c7783bfe7de272998ff4b6668ff58fb27d5195e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8208554d81801665bf30d80e86a9d43b6036428d

commit 8208554d81801665bf30d80e86a9d43b6036428d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/pattern.texi: Document thread safety properties.

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 1966f3f..da2c8b6 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -736,6 +736,251 @@ expression into it by calling @code{regcomp}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c All of the issues have to do with memory allocation and multi-byte 
+@c character handling present in the input string, or implied by ranges
+@c or inverted character classes.
+@c (re_)malloc asmalloc, memleak
+@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
+@c    callers that don't zero the buffer)
+@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   (re_)malloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c   _NL_CURRENT ok
+@c   _NL_CURRENT_WORD ok
+@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  libc_lock_init ok
+@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_construct_common ok
+@c   re_string_realloc_buffers asmalloc, memleak
+@c    (re_)realloc dup asmalloc, memleak
+@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    isascii ok
+@c    mbsinit ok
+@c    toupper ok
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    iswlower glocale
+@c    towupper glocale
+@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    (re_)malloc dup asmalloc, memleak
+@c   build_upper_buffer ok (glocale, but optimized)
+@c    islower ok
+@c    toupper ok
+@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_translate_buffer ok
+@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    peek_token ok (maybe glocale)
+@c     re_string_eoi ok
+@c     re_string_peek_byte ok
+@c     re_string_cur_idx ok
+@c     re_string_length ok
+@c     re_string_peek_byte_case ok (maybe glocale)
+@c      re_string_peek_byte dup ok
+@c      re_string_is_single_byte_char ok
+@c      isascii ok
+@c      re_string_peek_byte dup ok
+@c     re_string_wchar_at ok
+@c     re_string_skip_bytes ok
+@c    re_string_skip_bytes dup ok
+@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_token_tree dup asmalloc, memleak
+@c      re_string_eoi dup ok
+@c      re_string_first_byte ok
+@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_tree dup asmalloc, memleak
+@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       postorder() asmalloc, memleak
+@c        free_tree asmalloc, memleak
+@c         free_token dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       _NL_CURRENT dup ok
+@c       _NL_CURRENT_WORD dup ok
+@c       calloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       peek_token_bracket ok
+@c        re_string_eoi dup ok
+@c        re_string_peek_byte dup ok
+@c        re_string_first_byte dup ok
+@c        re_string_cur_idx dup ok
+@c        re_string_length dup ok
+@c        re_string_skip_bytes dup ok
+@c       bitset_set ok
+@c       re_string_skip_bytes ok
+@c       parse_bracket_element ok (maybe glocale)
+@c        re_string_char_size_at ok
+@c        re_string_wchar_at dup ok
+@c        re_string_skip_bytes dup ok
+@c        parse_bracket_symbol ok (maybe glocale)
+@c         re_string_eoi dup ok
+@c         re_string_fetch_byte_case ok (maybe glocale)
+@c          re_string_fetch_byte ok
+@c          re_string_first_byte dup ok
+@c          isascii ok
+@c          re_string_char_size_at dup ok
+@c          re_string_skip_bytes dup ok
+@c         re_string_fetch_byte dup ok
+@c         re_string_peek_byte dup ok
+@c         re_string_skip_bytes dup ok
+@c        peek_token_bracket dup ok
+@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         collseq_table_lookup ok
+@c         auto seek_collating_symbol_entry dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c        collseq_table_lookup dup ok
+@c       bitset_set dup ok
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_equiv_class (maybe glocale), asmalloc, memleak
+@c        _NL_CURRENT ok
+@c        auto findidx ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       auto build_collating_symbol asmalloc, memleak
+@c        auto seek_collating_symbol_entry ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       build_charclass (maybe glocale), asmalloc, memleak
+@c        (re_)realloc dup asmalloc, memleak
+@c        bitset_set dup ok
+@c        isalnum ok
+@c        iscntrl ok
+@c        isspace ok
+@c        isalpha ok
+@c        isdigit ok
+@c        isprint ok
+@c        isupper ok
+@c        isblank ok
+@c        isgraph ok
+@c        ispunct ok
+@c        isxdigit ok
+@c       bitset_not ok
+@c       bitset_mask ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c      init_word_char (maybe glocale)
+@c       isalnum ok
+@c      build_charclass_op (maybe glocale), asmalloc, memleak
+@c       calloc dup asmalloc, memleak
+@c       build_charclass dup (maybe glocale), asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c       bitset_set dup ok
+@c       bitset_not dup ok
+@c       bitset_mask dup ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_cur_idx dup ok
+@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_set_index ok
+@c       postorder() asmalloc, memleak
+@c        free_tree dup asmalloc, memleak
+@c        mark_opt_subexp ok
+@c       duplicate_tree asmalloc, memleak
+@c        create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c     postorder() asmalloc, memleak
+@c      free_tree dup asmalloc, memleak
+@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    create_tree dup asmalloc, memleak
+@c   create_tree asmalloc, memleak
+@c    create_token_tree asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c  analyze asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   preorder() asmalloc, memleak
+@c    optimize_subexps ok
+@c    calc_next ok
+@c    link_nfa_nodes asmalloc, memleak
+@c     re_node_set_init_1 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_2 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c   postorder() asmalloc, memleak
+@c    lower_subexps asmalloc, memleak
+@c     lower_subexp asmalloc, memleak
+@c      create_tree dup asmalloc, memleak
+@c    calc_first asmalloc, memleak
+@c     re_dfa_add_node asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c      re_node_set_init_empty ok
+@c   calc_eclosure asmalloc, memleak
+@c    calc_eclosure_iter asmalloc, memleak
+@c     re_node_set_alloc asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     duplicate_node_closure asmalloc, memleak
+@c      re_node_set_empty ok
+@c      duplicate_node asmalloc, memleak
+@c       re_dfa_add_node dup asmalloc, memleak
+@c      re_node_set_insert asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c      search_duplicated_node ok
+@c     re_node_set_merge asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c     re_node_set_free asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     re_node_set_insert dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   calc_inveclosure asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c    re_node_set_insert_last asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c  optimize_utf8 ok
+@c  create_initial_state asmalloc, memleak
+@c   re_node_set_init_copy asmalloc, memleak
+@c    (re_)malloc dup asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c   re_node_set_contains ok
+@c   re_node_set_merge dup asmalloc, memleak
+@c   re_acquire_state_context asmalloc, memleak
+@c    calc_state_hash ok
+@c    re_node_set_compare ok
+@c    create_cd_newstate asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c     free_state asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     NOT_SATISFY_PREV_CONSTRAINT ok
+@c     re_node_set_remove_at ok
+@c     register_state asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_insert_last dup asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c  free_workarea_compile asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  free_dfa_content asmalloc, memleak
+@c   free_token asmalloc, memleak
+@c    free_charset asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_set_fastmap ok
+@c    tolower ok
+@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   towlower glocale
+@c   _NL_CURRENT ok
+@c (re_)free asmalloc, memleak
 The function @code{regcomp} ``compiles'' a regular expression into a
 data structure that you can use with @code{regexec} to match against a
 string.  The compiled regular expression format is designed for
@@ -885,6 +1130,247 @@ unless the regular expression contains anchor characters (@samp{^} or
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c libc_lock_lock selfdeadlock, lockleak
+@c re_search_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_string_allocate asmalloc, memleak
+@c   re_string_construct_common dup ok
+@c   re_string_realloc_buffers dup asmalloc, memleak
+@c  match_ctx_init asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c  re_string_byte_at ok
+@c  re_string_first_byte dup ok
+@c  check_matching glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_cur_idx dup ok
+@c   acquire_init_state_context dup asmalloc, memleak
+@c    re_string_context_at ok
+@c     re_string_byte_at dup ok
+@c     bitset_contain ok
+@c    re_acquire_state_context dup asmalloc, memleak
+@c   check_subexp_matching_top asmalloc, memleak
+@c    match_ctx_add_subtop asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c   transit_state_bkref glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    re_string_cur_idx dup ok
+@c    re_string_context_at dup ok
+@c    NOT_SATISFY_NEXT_CONSTRAINT ok
+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_string_get_buffer ok
+@c     search_cur_bkref_entry ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_realloc_buffers dup asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       build_upper_buffer dup ok (glocale, but optimized)
+@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_translate_buffer dup ok
+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       re_string_context_at dup ok
+@c       re_node_set_init_1 dup asmalloc, memleak
+@c       check_arrival_expand_ecl asmalloc, memleak
+@c        re_node_set_alloc dup asmalloc, memleak
+@c        find_subexp_node ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        check_arrival_expand_ecl_sub asmalloc, memleak
+@c         re_node_set_contains dup ok
+@c         re_node_set_insert dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_init_copy dup asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       expand_bkref_cache asmalloc, memleak
+@c        search_cur_bkref_entry dup ok
+@c        re_node_set_contains dup ok
+@c        re_node_set_init_1 dup asmalloc, memleak
+@c        check_arrival_expand_ecl dup asmalloc, memleak
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_init_copy dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_acquire_state asmalloc, memleak
+@c         calc_state_hash dup ok
+@c         re_node_set_compare dup ok
+@c         create_ci_newstate asmalloc, memleak
+@c          calloc dup asmalloc, memleak
+@c          re_node_set_init_copy dup asmalloc, memleak
+@c          (re_)free dup asmalloc, memleak
+@c          register_state dup asmalloc, memleak
+@c          free_state dup asmalloc, memleak
+@c       re_acquire_state_context dup asmalloc, memleak
+@c       re_node_set_merge dup asmalloc, memleak
+@c       check_arrival_add_next_nodes glocale, asmalloc, memleak
+@c        re_node_set_init_empty dup ok
+@c        check_node_accept_bytes glocale, asmalloc, memleak
+@c         re_string_byte_at dup ok
+@c         re_string_char_size_at dup ok
+@c         re_string_elem_size_at (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c          auto findidx dup ok
+@c         _NL_CURRENT_WORD dup ok
+@c         _NL_CURRENT dup ok
+@c         collseq_table_lookup dup ok
+@c         find_collation_sequence_value (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c         auto findidx dup ok
+@c         wcscoll glocale, asmalloc, memleak
+@c        re_node_set_empty dup ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_acquire_state dup asmalloc, memleak
+@c        check_node_accept ok
+@c         re_string_byte_at dup ok
+@c         bitset_contain dup ok
+@c         re_string_context_at dup ok
+@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c      match_ctx_add_entry asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     find_subexp_node dup ok
+@c     calloc dup asmalloc, memleak
+@c     check_arrival dup ***
+@c     match_ctx_add_sublast asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c    re_acquire_state_context dup asmalloc, memleak
+@c    re_node_set_init_union asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     re_node_set_init_empty dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top dup asmalloc, memleak
+@c   check_halt_state_context ok
+@c    re_string_context_at dup ok
+@c    check_halt_node_context ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c   re_string_eoi dup ok
+@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   transit_state glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    transit_state_mb glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_string_context_at dup ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c     check_node_accept_bytes dup glocale, asmalloc, memleak
+@c     re_string_cur_idx dup ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_node_set_init_union dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c    re_string_fetch_byte dup ok
+@c    re_string_context_at dup ok
+@c    build_trtable asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     group_nodes_into_DFAstates asmalloc, memleak
+@c      bitset_empty dup ok
+@c      bitset_set dup ok
+@c      bitset_merge dup ok
+@c      bitset_set_all ok
+@c      bitset_clear ok
+@c      bitset_contain dup ok
+@c      bitset_copy ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      re_node_set_init_1 dup asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c     re_node_set_alloc dup asmalloc, memleak
+@c     malloc dup asmalloc, memleak
+@c     free dup asmalloc, memleak
+@c     re_node_set_free dup asmalloc, memleak
+@c     bitset_empty ok
+@c     re_node_set_empty dup ok
+@c     re_node_set_merge dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c     bitset_merge ok
+@c     calloc dup asmalloc, memleak
+@c     bitset_contain dup ok
+@c   merge_state_with_log glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    re_string_cur_idx dup ok
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_string_context_at dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top asmalloc, memleak
+@c     match_ctx_add_subtop dup asmalloc, memleak
+@c    transit_state_bkref dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   find_recover_state
+@c    re_string_cur_idx dup ok
+@c    re_string_skip_bytes dup ok
+@c    merge_state_with_log dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  check_halt_state_context dup ok
+@c  prune_impossible_nodes glocale, asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   sift_ctx_init ok
+@c    re_node_set_init_empty dup ok
+@c   sift_states_backward glocale, asmalloc, memleak
+@c    re_node_set_init_1 dup asmalloc, memleak
+@c    update_cur_sifted_state glocale, asmalloc, memleak
+@c     add_epsilon_src_nodes asmalloc, memleak
+@c      re_acquire_state dup asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_merge dup asmalloc, memleak
+@c      re_node_set_add_intersect asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c     check_subexp_limits asmalloc, memleak
+@c      sub_epsilon_src_nodes asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_add_intersect dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_contains dup ok
+@c     re_acquire_state dup asmalloc, memleak
+@c     sift_states_bkref glocale, asmalloc, memleak
+@c      search_cur_bkref_entry dup ok
+@c      check_dst_limits ok
+@c       search_cur_bkref_entry dup ok
+@c       check_dst_limits_calc_pos ok
+@c        check_dst_limits_calc_pos_1 ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      sift_states_backward dup glocale, asmalloc, memleak
+@c      merge_state_array dup asmalloc, memleak
+@c      re_node_set_remove ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_free dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    re_node_set_empty dup ok
+@c    build_sifted_states glocale, asmalloc, memleak
+@c     sift_states_iter_mb glocale, asmalloc, memleak
+@c      check_node_accept_bytes dup glocale, asmalloc, memleak
+@c     check_node_accept dup ok
+@c     check_dst_limits dup ok
+@c     re_node_set_insert dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c   check_halt_state_context dup ok
+@c   merge_state_array asmalloc, memleak
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_acquire_state dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  set_regs asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   re_node_set_init_empty dup ok
+@c   free_fail_stack_return asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   update_regs ok
+@c   re_node_set_free dup asmalloc, memleak
+@c   pop_fail_stack asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  (re_)free dup asmalloc, memleak
+@c  match_ctx_free asmalloc, memleak
+@c   match_ctx_clean asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct dup asmalloc, memleak
+@c libc_lock_unlock lockleak
 This function tries to match the compiled regular expression
 @code{*@var{compiled}} against @var{string}.
 
@@ -1047,6 +1533,9 @@ free the storage it uses by calling @code{regfree}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun void regfree (regex_t *@var{compiled})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c (re_)free dup asmalloc, memleak
+@c free_dfa_content dup asmalloc, memleak
 Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
 points to.  This includes various internal fields of the @code{regex_t}
 structure that aren't documented in this manual.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bbf7743976ec2adddb2f60002a8d591211e8d3c7

commit bbf7743976ec2adddb2f60002a8d591211e8d3c7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/pattern.texi: Document thread safety properties.

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 1966f3f..4b66204 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -736,6 +736,251 @@ expression into it by calling @code{regcomp}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c All of the issues have to do with memory allocation and multi-byte 
+@c character handling present in the input string, or implied by ranges
+@c or inverted character classes.
+@c (re_)malloc asmalloc, memleak
+@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
+@c    callers that don't zero the buffer)
+@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   (re_)malloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c   _NL_CURRENT ok
+@c   _NL_CURRENT_WORD ok
+@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  libc_lock_init ok
+@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_construct_common ok
+@c   re_string_realloc_buffers asmalloc, memleak
+@c    (re_)realloc dup asmalloc, memleak
+@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    isascii ok
+@c    mbsinit ok
+@c    toupper ok
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    iswlower glocale
+@c    towupper glocale
+@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    (re_)malloc dup asmalloc, memleak
+@c   build_upper_buffer ok (glocale, but optimized)
+@c    islower ok
+@c    toupper ok
+@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_translate_buffer ok
+@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    peek_token ok (maybe glocale)
+@c     re_string_eoi ok
+@c     re_string_peek_byte ok
+@c     re_string_cur_idx ok
+@c     re_string_length ok
+@c     re_string_peek_byte_case ok (maybe glocale)
+@c      re_string_peek_byte dup ok
+@c      re_string_is_single_byte_char ok
+@c      isascii ok
+@c      re_string_peek_byte dup ok
+@c     re_string_wchar_at ok
+@c     re_string_skip_bytes ok
+@c    re_string_skip_bytes dup ok
+@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_token_tree dup asmalloc, memleak
+@c      re_string_eoi dup ok
+@c      re_string_first_byte ok
+@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_tree dup asmalloc, memleak
+@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       postorder() asmalloc, memleak
+@c        free_tree asmalloc, memleak
+@c         free_token dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       _NL_CURRENT dup ok
+@c       _NL_CURRENT_WORD dup ok
+@c       calloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       peek_token_bracket ok
+@c        re_string_eoi dup ok
+@c        re_string_peek_byte dup ok
+@c        re_string_first_byte dup ok
+@c        re_string_cur_idx dup ok
+@c        re_string_length dup ok
+@c        re_string_skip_bytes dup ok
+@c       bitset_set ok
+@c       re_string_skip_bytes ok
+@c       parse_bracket_element ok (maybe glocale)
+@c        re_string_char_size_at ok
+@c        re_string_wchar_at dup ok
+@c        re_string_skip_bytes dup ok
+@c        parse_bracket_symbol ok (maybe glocale)
+@c         re_string_eoi dup ok
+@c         re_string_fetch_byte_case ok (maybe glocale)
+@c          re_string_fetch_byte ok
+@c          re_string_first_byte dup ok
+@c          isascii ok
+@c          re_string_char_size_at dup ok
+@c          re_string_skip_bytes dup ok
+@c         re_string_fetch_byte dup ok
+@c         re_string_peek_byte dup ok
+@c         re_string_skip_bytes dup ok
+@c        peek_token_bracket dup
+@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         collseq_table_lookup ok
+@c         auto seek_collating_symbol_entry dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c        collseq_table_lookup dup ok
+@c       bitset_set dup ok
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_equiv_class (maybe glocale), asmalloc, memleak
+@c        _NL_CURRENT ok
+@c        auto findidx ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       auto build_collating_symbol asmalloc, memleak
+@c        auto seek_collating_symbol_entry ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       build_charclass (maybe glocale), asmalloc, memleak
+@c        (re_)realloc dup asmalloc, memleak
+@c        bitset_set dup ok
+@c        isalnum ok
+@c        iscntrl ok
+@c        isspace ok
+@c        isalpha ok
+@c        isdigit ok
+@c        isprint ok
+@c        isupper ok
+@c        isblank ok
+@c        isgraph ok
+@c        ispunct ok
+@c        isxdigit ok
+@c       bitset_not ok
+@c       bitset_mask ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c      init_word_char (maybe glocale)
+@c       isalnum ok
+@c      build_charclass_op (maybe glocale), asmalloc, memleak
+@c       calloc dup asmalloc, memleak
+@c       build_charclass dup (maybe glocale), asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c       bitset_set dup ok
+@c       bitset_not dup ok
+@c       bitset_mask dup ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_cur_idx dup ok
+@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_set_index ok
+@c       postorder() asmalloc, memleak
+@c        free_tree dup asmalloc, memleak
+@c        mark_opt_subexp ok
+@c       duplicate_tree asmalloc, memleak
+@c        create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c     postorder() asmalloc, memleak
+@c      free_tree dup asmalloc, memleak
+@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    create_tree dup asmalloc, memleak
+@c   create_tree asmalloc, memleak
+@c    create_token_tree asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c  analyze asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   preorder() asmalloc, memleak
+@c    optimize_subexps ok
+@c    calc_next ok
+@c    link_nfa_nodes asmalloc, memleak
+@c     re_node_set_init_1 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_2 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c   postorder() asmalloc, memleak
+@c    lower_subexps asmalloc, memleak
+@c     lower_subexp asmalloc, memleak
+@c      create_tree dup asmalloc, memleak
+@c    calc_first asmalloc, memleak
+@c     re_dfa_add_node asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c      re_node_set_init_empty ok
+@c   calc_eclosure asmalloc, memleak
+@c    calc_eclosure_iter asmalloc, memleak
+@c     re_node_set_alloc asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     duplicate_node_closure asmalloc, memleak
+@c      re_node_set_empty ok
+@c      duplicate_node asmalloc, memleak
+@c       re_dfa_add_node dup asmalloc, memleak
+@c      re_node_set_insert asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c      search_duplicated_node ok
+@c     re_node_set_merge asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c     re_node_set_free asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     re_node_set_insert dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   calc_inveclosure asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c    re_node_set_insert_last asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c  optimize_utf8 ok
+@c  create_initial_state asmalloc, memleak
+@c   re_node_set_init_copy asmalloc, memleak
+@c    (re_)malloc dup asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c   re_node_set_contains ok
+@c   re_node_set_merge dup asmalloc, memleak
+@c   re_acquire_state_context asmalloc, memleak
+@c    calc_state_hash ok
+@c    re_node_set_compare ok
+@c    create_cd_newstate asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c     free_state asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     NOT_SATISFY_PREV_CONSTRAINT ok
+@c     re_node_set_remove_at ok
+@c     register_state asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_insert_last dup asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c  free_workarea_compile asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  free_dfa_content asmalloc, memleak
+@c   free_token asmalloc, memleak
+@c    free_charset asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_set_fastmap ok
+@c    tolower ok
+@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   towlower glocale
+@c   _NL_CURRENT ok
+@c (re_)free asmalloc, memleak
 The function @code{regcomp} ``compiles'' a regular expression into a
 data structure that you can use with @code{regexec} to match against a
 string.  The compiled regular expression format is designed for
@@ -885,6 +1130,246 @@ unless the regular expression contains anchor characters (@samp{^} or
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
+@c libc_lock_lock selfdeadlock, lockleak
+@c re_search_internal
+@c  re_string_allocate asmalloc, memleak
+@c   re_string_construct_common dup ok
+@c   re_string_realloc_buffers dup asmalloc, memleak
+@c  match_ctx_init asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c  re_string_byte_at ok
+@c  re_string_first_byte dup ok
+@c  check_matching
+@c   re_string_cur_idx dup ok
+@c   acquire_init_state_context dup asmalloc, memleak
+@c    re_string_context_at ok
+@c     re_string_byte_at dup ok
+@c     bitset_contain ok
+@c    re_acquire_state_context dup asmalloc, memleak
+@c   check_subexp_matching_top asmalloc, memleak
+@c    match_ctx_add_subtop asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c   transit_state_bkref
+@c    re_string_cur_idx dup ok
+@c    re_string_context_at dup ok
+@c    NOT_SATISFY_NEXT_CONSTRAINT ok
+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c     re_string_get_buffer ok
+@c     search_cur_bkref_entry ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_realloc_buffers dup asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       build_upper_buffer dup ok (glocale, but optimized)
+@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_translate_buffer dup ok
+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c       (re_)realloc dup asmalloc, memleak
+@c       re_string_context_at dup ok
+@c       re_node_set_init_1 dup asmalloc, memleak
+@c       check_arrival_expand_ecl asmalloc, memleak
+@c        re_node_set_alloc dup asmalloc, memleak
+@c        find_subexp_node ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        check_arrival_expand_ecl_sub asmalloc, memleak
+@c         re_node_set_contains dup ok
+@c         re_node_set_insert dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_init_copy dup asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       expand_bkref_cache asmalloc, memleak
+@c        search_cur_bkref_entry dup ok
+@c        re_node_set_contains dup ok
+@c        re_node_set_init_1 dup asmalloc, memleak
+@c        check_arrival_expand_ecl dup asmalloc, memleak
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_init_copy dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_acquire_state asmalloc, memleak
+@c         calc_state_hash dup ok
+@c         re_node_set_compare dup ok
+@c         create_ci_newstate asmalloc, memleak
+@c          calloc dup asmalloc, memleak
+@c          re_node_set_init_copy dup asmalloc, memleak
+@c          (re_)free dup asmalloc, memleak
+@c          register_state dup asmalloc, memleak
+@c          free_state dup asmalloc, memleak
+@c       re_acquire_state_context dup asmalloc, memleak
+@c       re_node_set_merge dup asmalloc, memleak
+@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
+@c        re_node_set_init_empty dup ok
+@c        check_node_accept_bytes (maybe glocale), ***wcscoll
+@c         re_string_byte_at dup ok
+@c         re_string_char_size_at dup ok
+@c         re_string_elem_size_at (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c          auto findidx dup ok
+@c         _NL_CURRENT_WORD dup ok
+@c         _NL_CURRENT dup ok
+@c         collseq_table_lookup dup ok
+@c         find_collation_sequence_value (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c         auto findidx dup ok
+@c         wcscoll ***wcscoll
+@c        re_node_set_empty dup ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_acquire_state dup asmalloc, memleak
+@c        check_node_accept ok
+@c         re_string_byte_at dup ok
+@c         bitset_contain dup ok
+@c         re_string_context_at dup ok
+@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c      match_ctx_add_entry asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     find_subexp_node dup
+@c     calloc dup asmalloc, memleak
+@c     check_arrival dup ***
+@c     match_ctx_add_sublast asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c    re_acquire_state_context dup asmalloc, memleak
+@c    re_node_set_init_union asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     re_node_set_init_empty dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top dup asmalloc, memleak
+@c   check_halt_state_context ok
+@c    re_string_context_at dup ok
+@c    check_halt_node_context ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c   re_string_eoi dup ok
+@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   transit_state
+@c    transit_state_mb
+@c     re_string_context_at dup ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c     check_node_accept_bytes dup
+@c     re_string_cur_idx dup ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_node_set_init_union dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c    re_string_fetch_byte dup ok
+@c    re_string_context_at dup ok
+@c    build_trtable asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     group_nodes_into_DFAstates asmalloc, memleak
+@c      bitset_empty dup ok
+@c      bitset_set dup ok
+@c      bitset_merge dup ok
+@c      bitset_set_all ok
+@c      bitset_clear ok
+@c      bitset_contain dup ok
+@c      bitset_copy ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      re_node_set_init_1 dup asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c     re_node_set_alloc dup asmalloc, memleak
+@c     malloc dup asmalloc, memleak
+@c     free dup asmalloc, memleak
+@c     re_node_set_free dup asmalloc, memleak
+@c     bitset_empty ok
+@c     re_node_set_empty dup ok
+@c     re_node_set_merge dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c     bitset_merge ok
+@c     calloc dup asmalloc, memleak
+@c     bitset_contain dup ok
+@c   merge_state_with_log
+@c    re_string_cur_idx dup ok
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_string_context_at dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top asmalloc, memleak
+@c     match_ctx_add_subtop dup asmalloc, memleak
+@c    transit_state_bkref dup
+@c   find_recover_state
+@c    re_string_cur_idx dup ok
+@c    re_string_skip_bytes dup ok
+@c    merge_state_with_log dup
+@c  check_halt_state_context dup
+@c  prune_impossible_nodes
+@c   (re_)malloc dup asmalloc, memleak
+@c   sift_ctx_init ok
+@c    re_node_set_init_empty dup ok
+@c   sift_states_backward
+@c    re_node_set_init_1 dup asmalloc, memleak
+@c    update_cur_sifted_state asmalloc, memleak
+@c     add_epsilon_src_nodes asmalloc, memleak
+@c      re_acquire_state dup asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_merge dup asmalloc, memleak
+@c      re_node_set_add_intersect asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c     check_subexp_limits asmalloc, memleak
+@c      sub_epsilon_src_nodes asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_add_intersect dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_contains dup ok
+@c     re_acquire_state dup asmalloc, memleak
+@c     sift_states_bkref asmalloc, memleak
+@c      search_cur_bkref_entry dup ok
+@c      check_dst_limits ok
+@c       search_cur_bkref_entry dup ok
+@c       check_dst_limits_calc_pos ok
+@c        check_dst_limits_calc_pos_1 ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      sift_states_backward dup
+@c      merge_state_array dup asmalloc, memleak
+@c      re_node_set_remove ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_free dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    re_node_set_empty dup ok
+@c    build_sifted_states
+@c     sift_states_iter_mb
+@c      check_node_accept_bytes dup
+@c     check_node_accept dup ok
+@c     check_dst_limits dup ok
+@c     re_node_set_insert dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c   check_halt_state_context dup ok
+@c   merge_state_array asmalloc, memleak
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_acquire_state dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  set_regs asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   re_node_set_init_empty dup ok
+@c   free_fail_stack_return asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   update_regs ok
+@c   re_node_set_free dup asmalloc, memleak
+@c   pop_fail_stack asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  (re_)free dup asmalloc, memleak
+@c  match_ctx_free asmalloc, memleak
+@c   match_ctx_clean asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct dup asmalloc, memleak
+@c libc_lock_unlock lockleak
 This function tries to match the compiled regular expression
 @code{*@var{compiled}} against @var{string}.
 
@@ -1047,6 +1532,9 @@ free the storage it uses by calling @code{regfree}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun void regfree (regex_t *@var{compiled})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c (re_)free dup asmalloc, memleak
+@c free_dfa_content dup asmalloc, memleak
 Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
 points to.  This includes various internal fields of the @code{regex_t}
 structure that aren't documented in this manual.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e20d050989275a4938846e2098120ac93bb27b73

commit e20d050989275a4938846e2098120ac93bb27b73
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:01 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..11c9dc7 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
@@ -414,6 +545,10 @@ according to the selected locale using this information.
 @comment locale.h
 @comment ISO
 @deftypefun {struct lconv *} localeconv (void)
+@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
+@c This function reads from multiple components of the locale object,
+@c without synchronization, while writing to the static buffer it uses
+@c as the return value.
 The @code{localeconv} function returns a pointer to a structure whose
 components contain information about how numeric and monetary values
 should be formatted in the current locale.
@@ -680,6 +815,10 @@ was introduced.
 @comment langinfo.h
 @comment XOPEN
 @deftypefun {char *} nl_langinfo (nl_item @var{item})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c It calls _nl_langinfo_l with the current locale, which returns a
+@c pointer into constant strings defined in locale data structures.  It
+@c doesn't run afoul of glocale itself, but callers may.
 The @code{nl_langinfo} function can be used to access individual
 elements of the locale categories.  Unlike the @code{localeconv}
 function, which returns all the information, @code{nl_langinfo}
@@ -974,6 +1113,11 @@ locale information, making it easier for the user to format
 numbers according to these rules.
 
 @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
+@c locale object passed to it, accesses the active locale through
+@c isdigit (but to_digit assumes ASCII digits only).  It may call
+@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
 The @code{strfmon} function is similar to the @code{strftime} function
 in that it takes a buffer, its size, a format string,
 and values to write into the buffer as text in a form specified
@@ -1185,6 +1329,8 @@ access to the corresponding locale definitions.
 @comment GNU
 @comment stdlib.h
 @deftypefun int rpmatch (const char *@var{response})
+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
+@c regfree, regcomp and regexec.
 The function @code{rpmatch} checks the string in @var{response} whether
 or not it is a correct yes-or-no answer and if yes, which one.  The
 check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3a43e38278e86406b56895d8bf3b3040b0c1ebbb

commit 3a43e38278e86406b56895d8bf3b3040b0c1ebbb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0130f8b910297080deea57ff964d8984d8d8df56

commit 0130f8b910297080deea57ff964d8984d8d8df56
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fe3192904116fc22495af608394faa50f46a1da0

commit fe3192904116fc22495af608394faa50f46a1da0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=18ca074b1729953c82b2ccfbe825c115d2e92612

commit 18ca074b1729953c82b2ccfbe825c115d2e92612
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 2a164a9..b63a849 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,9 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Calls strcoll_l with the current locale, which dereferences only the
+@c LC_COLLATE data pointer.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1351,6 +1361,8 @@ collating sequence of the current locale for collation (the
 @comment wchar.h
 @comment ISO
 @deftypefun int wcscoll (const wchar_t *@var{ws1}, const wchar_t *@var{ws2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Same as strcoll, but calling wcscoll_l.
 The @code{wcscoll} function is similar to @code{wcscmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1649,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1691,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2689,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=97db8a779b727d321dc9cf106a644fa761073224

commit 97db8a779b727d321dc9cf106a644fa761073224
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:57 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..c350585 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,6 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
@@ -1089,6 +1122,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1187,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1307,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1326,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1353,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1401,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1450,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1577,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1585,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1597,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1609,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1622,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1728,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1744,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1782,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1984,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2201,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2220,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2287,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2309,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2398,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2427,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2449,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2463,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2487,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2516,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2566,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2593,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2634,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2662,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2719,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2775,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2811,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2894,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2903,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3882,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3902,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=db9625097d5f7d73d8ba1e10cf6a592ef525404f

commit db9625097d5f7d73d8ba1e10cf6a592ef525404f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5e0862c9507f9dc42f539d580c22b31cc9feb8df

commit 5e0862c9507f9dc42f539d580c22b31cc9feb8df
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=eadd5e24321249b093b22f50057e8396fd887b2d

commit eadd5e24321249b093b22f50057e8396fd887b2d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:57 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=63ec6cc0ec5f71f1e34e18def7b86eda75a61ce8

commit 63ec6cc0ec5f71f1e34e18def7b86eda75a61ce8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:58 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 30630ca..9ffe87b 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger than @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,12 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Besides the usual possibility of getting an inconsistent stream in a
+@c signal handler or leaving it inconsistent in case of cancellation,
+@c the possibility of leaving a dangling pointer upon cancellation
+@c between reallocing the buffer at *lineptr and updating the pointer
+@c brings about another case of incansist.
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c See the getline incansist note.
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1347,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1371,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1397,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1407,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1417,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1508,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1546,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1605,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1621,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1631,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1641,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2383,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2393,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2403,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2411,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2419,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2444,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2469,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2540,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2573,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2644,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2653,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2662,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale, asmalloc, memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2711,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2719,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2727,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2735,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2743,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2751,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2827,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3068,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3320,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3384,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +4001,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4016,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4031,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4039,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4047,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4061,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4088,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4097,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4106,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4114,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4122,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4130,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4180,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4190,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4204,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4215,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4243,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4254,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4368,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4381,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4405,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4421,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4441,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4465,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4514,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4636,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4651,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4664,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4681,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4793,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4806,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4823,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4845,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4870,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4948,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4962,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4974,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4989,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +5003,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5014,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5062,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5118,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5234,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5416,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5557,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=230f153ea88ba8ed2cb29f2e2ef3cc40951f6225

commit 230f153ea88ba8ed2cb29f2e2ef3cc40951f6225
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=950462adffbb683bfe87aa0e8e80419c3ebe59f8

commit 950462adffbb683bfe87aa0e8e80419c3ebe59f8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:57 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..2c46771 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,6 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
@@ -1134,6 +1145,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1154,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1164,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1188,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1227,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1251,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1281,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1322,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dcd90718c551e61f1cbeab38fa4363d8a7a32bd2

commit dcd90718c551e61f1cbeab38fa4363d8a7a32bd2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d0718d8b1f3d220eb4f8ffbf095617a5feed49f2

commit d0718d8b1f3d220eb4f8ffbf095617a5feed49f2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:57 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=31e37cd2c481327f3f02639924b80fded791908f

commit 31e37cd2c481327f3f02639924b80fded791908f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:56 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3eb260d75b2037994e4f90ebac51c25c51afded4

commit 3eb260d75b2037994e4f90ebac51c25c51afded4
Merge: de83f27 d11a5f2 86477a8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:34:19 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=de83f2729b57b537b66a3e179ba5939f6923d535

commit de83f2729b57b537b66a3e179ba5939f6923d535
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:34:19 2013 -0300

    refresh

diff --git a/meta b/meta
index b0e4a07..2969a8d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 5abf433f4506e28fd73fd2b3dc1e5643add6bf53
-Head: 70482a4a8b5600e7458a51b6abf9728680496aab
+Previous: 86477a8edf0127f256e096762f505b930595ab13
+Head: d11a5f289468002d2e001e32fbc1db8a8ab6004d
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -13,8 +13,7 @@ Applied:
   manual-document-mt-safety-ctype.patch: dbe30b42d6c674a6d02343411c9d29f4bbab2084
   manual-document-mt-safety-debug.patch: 1aa7f3b6fc9a8771b43d3adb63e254f8caf5aa5b
   manual-document-mt-safety-errno.patch: 3c03cf246bde895688e98b832b45fcc835a9d2dc
-  manual-document-mt-safety-filesys.patch: 76884a41c04d96b2e1bab16fd4f76157c306fc81
-  refresh-temp: 70482a4a8b5600e7458a51b6abf9728680496aab
+  manual-document-mt-safety-filesys.patch: d11a5f289468002d2e001e32fbc1db8a8ab6004d
 Unapplied:
   manual-document-mt-safety-getopt.patch: fdbe248de910c1e7ef9ae9b744eed8d658ac5d29
   manual-document-mt-safety-libdl.patch: ac5bbc507973eb6ce1cd3b11d0456f31bdbea7d3
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 147c536..9e611e5 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
 Bottom: cd380e093eb8bd489394de0daad301f35820b2e8
-Top:    157f057fc8982c458959738c2a2c8d76e6c12c7e
+Top:    f6c126b4dc97b984cc91ac7d62ba41848149e9bc
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:56 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 1cac453..182fd33 100644
+index 1cac453..cd23ff6d3 100644
 --- a/manual/filesys.texi
 +++ b/manual/filesys.texi
 @@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
@@ -222,7 +222,7 @@ index 1cac453..182fd33 100644
  @comment dirent.h
  @comment BSD/SVID
  @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
 +@c Calls strcoll.
  The @code{alphasort} function behaves like the @code{strcoll} function
  (@pxref{String/Array Comparison}).  The difference is that the arguments
@@ -231,8 +231,8 @@ index 1cac453..182fd33 100644
  @comment dirent.h
  @comment GNU
  @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-+@c Calls strverscmp.
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Calls strverscmp, which will evaluate .
  The @code{versionsort} function is like @code{alphasort} except that it
  uses the @code{strverscmp} function internally.
  @end deftypefun
@@ -249,7 +249,7 @@ index 1cac453..182fd33 100644
  @comment dirent.h
  @comment GNU
  @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
 +@c See alphasort.
  The @code{alphasort64} function behaves like the @code{strcoll} function
  (@pxref{String/Array Comparison}).  The difference is that the arguments
@@ -258,7 +258,7 @@ index 1cac453..182fd33 100644
  @comment dirent.h
  @comment GNU
  @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 +@c See versionsort.
  The @code{versionsort64} function is like @code{alphasort64}, excepted that it
  uses the @code{strverscmp} function internally.
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index ff66e17..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,51 +0,0 @@
-Bottom: 157f057fc8982c458959738c2a2c8d76e6c12c7e
-Top:    f6c126b4dc97b984cc91ac7d62ba41848149e9bc
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 12:34:18 -0300
-
-Refresh of manual-document-mt-safety-filesys.patch
-
----
-
-diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 182fd33..cd23ff6d3 100644
---- a/manual/filesys.texi
-+++ b/manual/filesys.texi
-@@ -749,7 +749,7 @@ are very helpful for this purpose.
- @comment dirent.h
- @comment BSD/SVID
- @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
--@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
- @c Calls strcoll.
- The @code{alphasort} function behaves like the @code{strcoll} function
- (@pxref{String/Array Comparison}).  The difference is that the arguments
-@@ -763,8 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
- @comment dirent.h
- @comment GNU
- @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
--@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
--@c Calls strverscmp.
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
-+@c Calls strverscmp, which will evaluate .
- The @code{versionsort} function is like @code{alphasort} except that it
- uses the @code{strverscmp} function internally.
- @end deftypefun
-@@ -797,7 +797,7 @@ argument.  Instead we provide the two replacement functions below.
- @comment dirent.h
- @comment GNU
- @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
--@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
- @c See alphasort.
- The @code{alphasort64} function behaves like the @code{strcoll} function
- (@pxref{String/Array Comparison}).  The difference is that the arguments
-@@ -811,7 +811,7 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
- @comment dirent.h
- @comment GNU
- @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
--@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- @c See versionsort.
- The @code{versionsort64} function is like @code{alphasort64}, excepted that it
- uses the @code{strverscmp} function internally.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=86477a8edf0127f256e096762f505b930595ab13

commit 86477a8edf0127f256e096762f505b930595ab13
Merge: 82c8d99 5abf433 70482a4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:34:19 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=82c8d996b6adbcf1148d5d6b610c1cae0200fc05

commit 82c8d996b6adbcf1148d5d6b610c1cae0200fc05
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:34:19 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index a632c5b..b0e4a07 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: a06afebee80c99a32f02cd410290a65b5f7e40f6
-Head: 76884a41c04d96b2e1bab16fd4f76157c306fc81
+Previous: 5abf433f4506e28fd73fd2b3dc1e5643add6bf53
+Head: 70482a4a8b5600e7458a51b6abf9728680496aab
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -14,6 +14,7 @@ Applied:
   manual-document-mt-safety-debug.patch: 1aa7f3b6fc9a8771b43d3adb63e254f8caf5aa5b
   manual-document-mt-safety-errno.patch: 3c03cf246bde895688e98b832b45fcc835a9d2dc
   manual-document-mt-safety-filesys.patch: 76884a41c04d96b2e1bab16fd4f76157c306fc81
+  refresh-temp: 70482a4a8b5600e7458a51b6abf9728680496aab
 Unapplied:
   manual-document-mt-safety-getopt.patch: fdbe248de910c1e7ef9ae9b744eed8d658ac5d29
   manual-document-mt-safety-libdl.patch: ac5bbc507973eb6ce1cd3b11d0456f31bdbea7d3
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..ff66e17
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,51 @@
+Bottom: 157f057fc8982c458959738c2a2c8d76e6c12c7e
+Top:    f6c126b4dc97b984cc91ac7d62ba41848149e9bc
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 12:34:18 -0300
+
+Refresh of manual-document-mt-safety-filesys.patch
+
+---
+
+diff --git a/manual/filesys.texi b/manual/filesys.texi
+index 182fd33..cd23ff6d3 100644
+--- a/manual/filesys.texi
++++ b/manual/filesys.texi
+@@ -749,7 +749,7 @@ are very helpful for this purpose.
+ @comment dirent.h
+ @comment BSD/SVID
+ @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+-@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+ @c Calls strcoll.
+ The @code{alphasort} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+@@ -763,8 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+-@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+-@c Calls strverscmp.
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Calls strverscmp, which will evaluate .
+ The @code{versionsort} function is like @code{alphasort} except that it
+ uses the @code{strverscmp} function internally.
+ @end deftypefun
+@@ -797,7 +797,7 @@ argument.  Instead we provide the two replacement functions below.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+-@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+ @c See alphasort.
+ The @code{alphasort64} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+@@ -811,7 +811,7 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+-@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ @c See versionsort.
+ The @code{versionsort64} function is like @code{alphasort64}, excepted that it
+ uses the @code{strverscmp} function internally.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=70482a4a8b5600e7458a51b6abf9728680496aab

commit 70482a4a8b5600e7458a51b6abf9728680496aab
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:34:18 2013 -0300

    Refresh of manual-document-mt-safety-filesys.patch

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 182fd33..cd23ff6 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -749,7 +749,7 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
-@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
 @c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
@@ -763,8 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
-@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-@c Calls strverscmp.
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Calls strverscmp, which will evaluate .
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -797,7 +797,7 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
-@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
 @c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
@@ -811,7 +811,7 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
-@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 @c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5abf433f4506e28fd73fd2b3dc1e5643add6bf53

commit 5abf433f4506e28fd73fd2b3dc1e5643add6bf53
Merge: cb606d1 a06afeb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:34:07 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cb606d15951e191acc9fdf75af2d6918c060751a

commit cb606d15951e191acc9fdf75af2d6918c060751a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:34:07 2013 -0300

    goto

diff --git a/meta b/meta
index 0c57229..a632c5b 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 156c4fb10efc6d333ac5f9e9b17abd2264f6bf02
-Head: 80f55c2d25e3968c30f5846ffabc81dedc50f709
+Previous: a06afebee80c99a32f02cd410290a65b5f7e40f6
+Head: 76884a41c04d96b2e1bab16fd4f76157c306fc81
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -14,6 +14,7 @@ Applied:
   manual-document-mt-safety-debug.patch: 1aa7f3b6fc9a8771b43d3adb63e254f8caf5aa5b
   manual-document-mt-safety-errno.patch: 3c03cf246bde895688e98b832b45fcc835a9d2dc
   manual-document-mt-safety-filesys.patch: 76884a41c04d96b2e1bab16fd4f76157c306fc81
+Unapplied:
   manual-document-mt-safety-getopt.patch: fdbe248de910c1e7ef9ae9b744eed8d658ac5d29
   manual-document-mt-safety-libdl.patch: ac5bbc507973eb6ce1cd3b11d0456f31bdbea7d3
   manual-document-mt-safety-job.patch: 917a111878057a3254a5aae2a9e436e2da0521f2
@@ -25,7 +26,6 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: 9c28ed5886790c4874d527aa2a775a299263bad5
   wip-manual-document-mt-safety-search.patch: 6ff8451b08998b4f998ec7de43aee9148d46f3e5
   wip-manual-document-mt-safety-string.patch: 80f55c2d25e3968c30f5846ffabc81dedc50f709
-Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 178585271fec5719c46b62c1a25f19cd9fd28655
   wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
   wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a06afebee80c99a32f02cd410290a65b5f7e40f6

commit a06afebee80c99a32f02cd410290a65b5f7e40f6
Merge: 3825b5d 156c4fb 80f55c2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:28:54 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3825b5d7dff2420a8d8e7789769ce25942db3257

commit 3825b5d7dff2420a8d8e7789769ce25942db3257
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:28:54 2013 -0300

    refresh

diff --git a/meta b/meta
index 4814f00..0c57229 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 26b0af44900a2634db1e3d833b3eed38af2ab556
-Head: de04419f9e61fa674b484151504612f6ec201644
+Previous: 156c4fb10efc6d333ac5f9e9b17abd2264f6bf02
+Head: 80f55c2d25e3968c30f5846ffabc81dedc50f709
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -24,8 +24,7 @@ Applied:
   wip-manual-document-mt-safety-resource.patch: e1924a257ca4ba889b69af5907ca22f235fac6c9
   wip-manual-document-mt-safety-startup.patch: 9c28ed5886790c4874d527aa2a775a299263bad5
   wip-manual-document-mt-safety-search.patch: 6ff8451b08998b4f998ec7de43aee9148d46f3e5
-  wip-manual-document-mt-safety-string.patch: 241e5dd068f11629bd72636268cfb0330d352e02
-  refresh-temp: de04419f9e61fa674b484151504612f6ec201644
+  wip-manual-document-mt-safety-string.patch: 80f55c2d25e3968c30f5846ffabc81dedc50f709
 Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 178585271fec5719c46b62c1a25f19cd9fd28655
   wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 88817ad..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,34 +0,0 @@
-Bottom: 4526eb59c2b81d3c38552d73b8bcdcbe825ea516
-Top:    b9bca735e36722eeee271d7923615db34ab3b069
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 12:28:53 -0300
-
-Refresh of wip-manual-document-mt-safety-string.patch
-
----
-
-diff --git a/manual/string.texi b/manual/string.texi
-index 173306c..b63a849 100644
---- a/manual/string.texi
-+++ b/manual/string.texi
-@@ -1350,8 +1350,9 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
- @comment string.h
- @comment ISO
- @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
--@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
--@c Adjust alphasort one safety info is determined.
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
-+@c Calls strcoll_l with the current locale, which dereferences only the
-+@c LC_COLLATE data pointer.
- The @code{strcoll} function is similar to @code{strcmp} but uses the
- collating sequence of the current locale for collation (the
- @code{LC_COLLATE} locale).
-@@ -1360,6 +1361,8 @@ collating sequence of the current locale for collation (the
- @comment wchar.h
- @comment ISO
- @deftypefun int wcscoll (const wchar_t *@var{ws1}, const wchar_t *@var{ws2})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
-+@c Same as strcoll, but calling wcscoll_l.
- The @code{wcscoll} function is similar to @code{wcscmp} but uses the
- collating sequence of the current locale for collation (the
- @code{LC_COLLATE} locale).
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index b6c4a09..40e01f8 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
 Bottom: 974b65fdd740c5be01caf8296db702b20af31f6e
-Top:    4526eb59c2b81d3c38552d73b8bcdcbe825ea516
+Top:    b9bca735e36722eeee271d7923615db34ab3b069
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/string.texi b/manual/string.texi
-index 2a164a9..173306c 100644
+index 2a164a9..b63a849 100644
 --- a/manual/string.texi
 +++ b/manual/string.texi
 @@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
@@ -37,16 +37,26 @@ index 2a164a9..173306c 100644
  The @code{strverscmp} function compares the string @var{s1} against
  @var{s2}, considering them as holding indices/version numbers.  The
  return value follows the same conventions as found in the
-@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
+@@ -1343,6 +1350,9 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
  @comment string.h
  @comment ISO
  @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@c Adjust alphasort one safety info is determined.
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
++@c Calls strcoll_l with the current locale, which dereferences only the
++@c LC_COLLATE data pointer.
  The @code{strcoll} function is similar to @code{strcmp} but uses the
  collating sequence of the current locale for collation (the
  @code{LC_COLLATE} locale).
-@@ -1637,6 +1646,7 @@ This function is a GNU extension.
+@@ -1351,6 +1361,8 @@ collating sequence of the current locale for collation (the
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int wcscoll (const wchar_t *@var{ws1}, const wchar_t *@var{ws2})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
++@c Same as strcoll, but calling wcscoll_l.
+ The @code{wcscoll} function is similar to @code{wcscmp} but uses the
+ collating sequence of the current locale for collation (the
+ @code{LC_COLLATE} locale).
+@@ -1637,6 +1649,7 @@ This function is a GNU extension.
  @comment string.h
  @comment ISO
  @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
@@ -54,7 +64,7 @@ index 2a164a9..173306c 100644
  The @code{strchr} function finds the first occurrence of the character
  @var{c} (converted to a @code{char}) in the null-terminated string
  beginning at @var{string}.  The return value is a pointer to the located
-@@ -1678,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
+@@ -1678,6 +1691,7 @@ to use @code{wcschrnul} in this case, though.
  @comment string.h
  @comment GNU
  @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
@@ -62,7 +72,7 @@ index 2a164a9..173306c 100644
  @code{strchrnul} is the same as @code{strchr} except that if it does
  not find the character, it returns a pointer to string's terminating
  null character rather than a null pointer.
-@@ -2675,3 +2686,6 @@ being added to @var{envz}, if @var{override} is false.
+@@ -2675,3 +2689,6 @@ being added to @var{envz}, if @var{override} is false.
  The @code{envz_strip} function removes any null entries from @var{envz},
  updating @code{*@var{envz}} and @code{*@var{envz_len}}.
  @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=156c4fb10efc6d333ac5f9e9b17abd2264f6bf02

commit 156c4fb10efc6d333ac5f9e9b17abd2264f6bf02
Merge: ebf1d48 26b0af4 de04419
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:28:53 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ebf1d481944c8e53c60f3e38fae28231c32dc0ed

commit ebf1d481944c8e53c60f3e38fae28231c32dc0ed
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:28:53 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 7ce94ff..4814f00 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: f20bbacd9e056e493020aac8fa0d020040c0b499
-Head: 241e5dd068f11629bd72636268cfb0330d352e02
+Previous: 26b0af44900a2634db1e3d833b3eed38af2ab556
+Head: de04419f9e61fa674b484151504612f6ec201644
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -25,6 +25,7 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: 9c28ed5886790c4874d527aa2a775a299263bad5
   wip-manual-document-mt-safety-search.patch: 6ff8451b08998b4f998ec7de43aee9148d46f3e5
   wip-manual-document-mt-safety-string.patch: 241e5dd068f11629bd72636268cfb0330d352e02
+  refresh-temp: de04419f9e61fa674b484151504612f6ec201644
 Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 178585271fec5719c46b62c1a25f19cd9fd28655
   wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..88817ad
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,34 @@
+Bottom: 4526eb59c2b81d3c38552d73b8bcdcbe825ea516
+Top:    b9bca735e36722eeee271d7923615db34ab3b069
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 12:28:53 -0300
+
+Refresh of wip-manual-document-mt-safety-string.patch
+
+---
+
+diff --git a/manual/string.texi b/manual/string.texi
+index 173306c..b63a849 100644
+--- a/manual/string.texi
++++ b/manual/string.texi
+@@ -1350,8 +1350,9 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
+ @comment string.h
+ @comment ISO
+ @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+-@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+-@c Adjust alphasort one safety info is determined.
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
++@c Calls strcoll_l with the current locale, which dereferences only the
++@c LC_COLLATE data pointer.
+ The @code{strcoll} function is similar to @code{strcmp} but uses the
+ collating sequence of the current locale for collation (the
+ @code{LC_COLLATE} locale).
+@@ -1360,6 +1361,8 @@ collating sequence of the current locale for collation (the
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int wcscoll (const wchar_t *@var{ws1}, const wchar_t *@var{ws2})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
++@c Same as strcoll, but calling wcscoll_l.
+ The @code{wcscoll} function is similar to @code{wcscmp} but uses the
+ collating sequence of the current locale for collation (the
+ @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=de04419f9e61fa674b484151504612f6ec201644

commit de04419f9e61fa674b484151504612f6ec201644
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:28:53 2013 -0300

    Refresh of wip-manual-document-mt-safety-string.patch

diff --git a/manual/string.texi b/manual/string.texi
index 173306c..b63a849 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1350,8 +1350,9 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
-@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-@c Adjust alphasort one safety info is determined.
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Calls strcoll_l with the current locale, which dereferences only the
+@c LC_COLLATE data pointer.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1360,6 +1361,8 @@ collating sequence of the current locale for collation (the
 @comment wchar.h
 @comment ISO
 @deftypefun int wcscoll (const wchar_t *@var{ws1}, const wchar_t *@var{ws2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Same as strcoll, but calling wcscoll_l.
 The @code{wcscoll} function is similar to @code{wcscmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=26b0af44900a2634db1e3d833b3eed38af2ab556

commit 26b0af44900a2634db1e3d833b3eed38af2ab556
Merge: 3bde481 f20bbac
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:21:09 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3bde481177a447d8ca4c23f92e2ecee15094f4ef

commit 3bde481177a447d8ca4c23f92e2ecee15094f4ef
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:21:09 2013 -0300

    goto

diff --git a/meta b/meta
index afd181a..7ce94ff 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b7f5fb7fb8aab1cde840ccc066ece2c9d0aac5de
-Head: 286fc6e694c6817dda55cebcdac48f49d58232ff
+Previous: f20bbacd9e056e493020aac8fa0d020040c0b499
+Head: 241e5dd068f11629bd72636268cfb0330d352e02
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -25,10 +25,10 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: 9c28ed5886790c4874d527aa2a775a299263bad5
   wip-manual-document-mt-safety-search.patch: 6ff8451b08998b4f998ec7de43aee9148d46f3e5
   wip-manual-document-mt-safety-string.patch: 241e5dd068f11629bd72636268cfb0330d352e02
+Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 178585271fec5719c46b62c1a25f19cd9fd28655
   wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
   wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
   wip-manual-document-mt-safety-locale.patch: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
   wip-manual-document-mt-safety-pattern.patch: 286fc6e694c6817dda55cebcdac48f49d58232ff
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f20bbacd9e056e493020aac8fa0d020040c0b499

commit f20bbacd9e056e493020aac8fa0d020040c0b499
Merge: dc036a2 286fc6e b7f5fb7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:19:22 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dc036a2737efd678e1153bcd5a61d2eb4eaac277

commit dc036a2737efd678e1153bcd5a61d2eb4eaac277
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:19:22 2013 -0300

    refresh

diff --git a/meta b/meta
index 533e51d..afd181a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: ac662fe6d252a3d5739fc99789ddeb4816704ba0
-Head: b37401d04453d34fc6314fdc54606a46e8fb2627
+Previous: b7f5fb7fb8aab1cde840ccc066ece2c9d0aac5de
+Head: 286fc6e694c6817dda55cebcdac48f49d58232ff
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -29,7 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
   wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
   wip-manual-document-mt-safety-locale.patch: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
-  wip-manual-document-mt-safety-pattern.patch: e8af539713392c27e540158b90c5c8c57a34dde0
-  refresh-temp: b37401d04453d34fc6314fdc54606a46e8fb2627
+  wip-manual-document-mt-safety-pattern.patch: 286fc6e694c6817dda55cebcdac48f49d58232ff
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 5185196..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,526 +0,0 @@
-Bottom: 43752d35196008e73c5b6234ceb965ba6b80c8ef
-Top:    97c391126dfad97118d4c685597254faf62e03f0
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 12:19:21 -0300
-
-Refresh of wip-manual-document-mt-safety-pattern.patch
-
----
-
-diff --git a/manual/pattern.texi b/manual/pattern.texi
-index 376566e..4b66204 100644
---- a/manual/pattern.texi
-+++ b/manual/pattern.texi
-@@ -736,10 +736,251 @@ expression into it by calling @code{regcomp}.
- @comment regex.h
- @comment POSIX.2
- @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
--@c (re_)malloc
--@c re_compile_internal
--@c re_compile_fastmap
--@c (re_)free
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
-+@c All of the issues have to do with memory allocation and multi-byte 
-+@c character handling present in the input string, or implied by ranges
-+@c or inverted character classes.
-+@c (re_)malloc asmalloc, memleak
-+@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
-+@c    callers that don't zero the buffer)
-+@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c   (re_)malloc asmalloc, memleak
-+@c   calloc asmalloc, memleak
-+@c   _NL_CURRENT ok
-+@c   _NL_CURRENT_WORD ok
-+@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c  libc_lock_init ok
-+@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c   re_string_construct_common ok
-+@c   re_string_realloc_buffers asmalloc, memleak
-+@c    (re_)realloc dup asmalloc, memleak
-+@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c    isascii ok
-+@c    mbsinit ok
-+@c    toupper ok
-+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c    iswlower glocale
-+@c    towupper glocale
-+@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c    (re_)malloc dup asmalloc, memleak
-+@c   build_upper_buffer ok (glocale, but optimized)
-+@c    islower ok
-+@c    toupper ok
-+@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c   re_string_translate_buffer ok
-+@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c    peek_token ok (maybe glocale)
-+@c     re_string_eoi ok
-+@c     re_string_peek_byte ok
-+@c     re_string_cur_idx ok
-+@c     re_string_length ok
-+@c     re_string_peek_byte_case ok (maybe glocale)
-+@c      re_string_peek_byte dup ok
-+@c      re_string_is_single_byte_char ok
-+@c      isascii ok
-+@c      re_string_peek_byte dup ok
-+@c     re_string_wchar_at ok
-+@c     re_string_skip_bytes ok
-+@c    re_string_skip_bytes dup ok
-+@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c      create_token_tree dup asmalloc, memleak
-+@c      re_string_eoi dup ok
-+@c      re_string_first_byte ok
-+@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c      create_tree dup asmalloc, memleak
-+@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c       postorder() asmalloc, memleak
-+@c        free_tree asmalloc, memleak
-+@c         free_token dup asmalloc, memleak
-+@c       create_tree dup asmalloc, memleak
-+@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c       _NL_CURRENT dup ok
-+@c       _NL_CURRENT_WORD dup ok
-+@c       calloc dup asmalloc, memleak
-+@c       (re_)free dup asmalloc, memleak
-+@c       peek_token_bracket ok
-+@c        re_string_eoi dup ok
-+@c        re_string_peek_byte dup ok
-+@c        re_string_first_byte dup ok
-+@c        re_string_cur_idx dup ok
-+@c        re_string_length dup ok
-+@c        re_string_skip_bytes dup ok
-+@c       bitset_set ok
-+@c       re_string_skip_bytes ok
-+@c       parse_bracket_element ok (maybe glocale)
-+@c        re_string_char_size_at ok
-+@c        re_string_wchar_at dup ok
-+@c        re_string_skip_bytes dup ok
-+@c        parse_bracket_symbol ok (maybe glocale)
-+@c         re_string_eoi dup ok
-+@c         re_string_fetch_byte_case ok (maybe glocale)
-+@c          re_string_fetch_byte ok
-+@c          re_string_first_byte dup ok
-+@c          isascii ok
-+@c          re_string_char_size_at dup ok
-+@c          re_string_skip_bytes dup ok
-+@c         re_string_fetch_byte dup ok
-+@c         re_string_peek_byte dup ok
-+@c         re_string_skip_bytes dup ok
-+@c        peek_token_bracket dup
-+@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c         collseq_table_lookup ok
-+@c         auto seek_collating_symbol_entry dup ok
-+@c        (re_)realloc dup asmalloc, memleak
-+@c        collseq_table_lookup dup ok
-+@c       bitset_set dup ok
-+@c       (re_)realloc dup asmalloc, memleak
-+@c       build_equiv_class (maybe glocale), asmalloc, memleak
-+@c        _NL_CURRENT ok
-+@c        auto findidx ok
-+@c        bitset_set dup ok
-+@c        (re_)realloc dup asmalloc, memleak
-+@c       auto build_collating_symbol asmalloc, memleak
-+@c        auto seek_collating_symbol_entry ok
-+@c        bitset_set dup ok
-+@c        (re_)realloc dup asmalloc, memleak
-+@c       build_charclass (maybe glocale), asmalloc, memleak
-+@c        (re_)realloc dup asmalloc, memleak
-+@c        bitset_set dup ok
-+@c        isalnum ok
-+@c        iscntrl ok
-+@c        isspace ok
-+@c        isalpha ok
-+@c        isdigit ok
-+@c        isprint ok
-+@c        isupper ok
-+@c        isblank ok
-+@c        isgraph ok
-+@c        ispunct ok
-+@c        isxdigit ok
-+@c       bitset_not ok
-+@c       bitset_mask ok
-+@c       create_token_tree dup asmalloc, memleak
-+@c       create_tree dup asmalloc, memleak
-+@c       free_charset dup asmalloc, memleak
-+@c      init_word_char (maybe glocale)
-+@c       isalnum ok
-+@c      build_charclass_op (maybe glocale), asmalloc, memleak
-+@c       calloc dup asmalloc, memleak
-+@c       build_charclass dup (maybe glocale), asmalloc, memleak
-+@c       (re_)free dup asmalloc, memleak
-+@c       free_charset dup asmalloc, memleak
-+@c       bitset_set dup ok
-+@c       bitset_not dup ok
-+@c       bitset_mask dup ok
-+@c       create_token_tree dup asmalloc, memleak
-+@c       create_tree dup asmalloc, memleak
-+@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c       re_string_cur_idx dup ok
-+@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c       re_string_set_index ok
-+@c       postorder() asmalloc, memleak
-+@c        free_tree dup asmalloc, memleak
-+@c        mark_opt_subexp ok
-+@c       duplicate_tree asmalloc, memleak
-+@c        create_token_tree dup asmalloc, memleak
-+@c       create_tree dup asmalloc, memleak
-+@c     postorder() asmalloc, memleak
-+@c      free_tree dup asmalloc, memleak
-+@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c    create_tree dup asmalloc, memleak
-+@c   create_tree asmalloc, memleak
-+@c    create_token_tree asmalloc, memleak
-+@c     (re_)malloc dup asmalloc, memleak
-+@c  analyze asmalloc, memleak
-+@c   (re_)malloc dup asmalloc, memleak
-+@c   preorder() asmalloc, memleak
-+@c    optimize_subexps ok
-+@c    calc_next ok
-+@c    link_nfa_nodes asmalloc, memleak
-+@c     re_node_set_init_1 asmalloc, memleak
-+@c      (re_)malloc dup asmalloc, memleak
-+@c     re_node_set_init_2 asmalloc, memleak
-+@c      (re_)malloc dup asmalloc, memleak
-+@c   postorder() asmalloc, memleak
-+@c    lower_subexps asmalloc, memleak
-+@c     lower_subexp asmalloc, memleak
-+@c      create_tree dup asmalloc, memleak
-+@c    calc_first asmalloc, memleak
-+@c     re_dfa_add_node asmalloc, memleak
-+@c      (re_)realloc dup asmalloc, memleak
-+@c      re_node_set_init_empty ok
-+@c   calc_eclosure asmalloc, memleak
-+@c    calc_eclosure_iter asmalloc, memleak
-+@c     re_node_set_alloc asmalloc, memleak
-+@c      (re_)malloc dup asmalloc, memleak
-+@c     duplicate_node_closure asmalloc, memleak
-+@c      re_node_set_empty ok
-+@c      duplicate_node asmalloc, memleak
-+@c       re_dfa_add_node dup asmalloc, memleak
-+@c      re_node_set_insert asmalloc, memleak
-+@c       (re_)realloc dup asmalloc, memleak
-+@c      search_duplicated_node ok
-+@c     re_node_set_merge asmalloc, memleak
-+@c      (re_)realloc dup asmalloc, memleak
-+@c     re_node_set_free asmalloc, memleak
-+@c      (re_)free dup asmalloc, memleak
-+@c     re_node_set_insert dup asmalloc, memleak
-+@c    re_node_set_free dup asmalloc, memleak
-+@c   calc_inveclosure asmalloc, memleak
-+@c    re_node_set_init_empty dup ok
-+@c    re_node_set_insert_last asmalloc, memleak
-+@c     (re_)realloc dup asmalloc, memleak
-+@c  optimize_utf8 ok
-+@c  create_initial_state asmalloc, memleak
-+@c   re_node_set_init_copy asmalloc, memleak
-+@c    (re_)malloc dup asmalloc, memleak
-+@c    re_node_set_init_empty dup ok
-+@c   re_node_set_contains ok
-+@c   re_node_set_merge dup asmalloc, memleak
-+@c   re_acquire_state_context asmalloc, memleak
-+@c    calc_state_hash ok
-+@c    re_node_set_compare ok
-+@c    create_cd_newstate asmalloc, memleak
-+@c     calloc dup asmalloc, memleak
-+@c     re_node_set_init_copy dup asmalloc, memleak
-+@c     (re_)free dup asmalloc, memleak
-+@c     free_state asmalloc, memleak
-+@c      re_node_set_free dup asmalloc, memleak
-+@c      (re_)free dup asmalloc, memleak
-+@c     NOT_SATISFY_PREV_CONSTRAINT ok
-+@c     re_node_set_remove_at ok
-+@c     register_state asmalloc, memleak
-+@c      re_node_set_alloc dup asmalloc, memleak
-+@c      re_node_set_insert_last dup asmalloc, memleak
-+@c      (re_)realloc dup asmalloc, memleak
-+@c   re_node_set_free dup asmalloc, memleak
-+@c  free_workarea_compile asmalloc, memleak
-+@c   (re_)free dup asmalloc, memleak
-+@c  re_string_destruct asmalloc, memleak
-+@c   (re_)free dup asmalloc, memleak
-+@c  free_dfa_content asmalloc, memleak
-+@c   free_token asmalloc, memleak
-+@c    free_charset asmalloc, memleak
-+@c     (re_)free dup asmalloc, memleak
-+@c    (re_)free dup asmalloc, memleak
-+@c   (re_)free dup asmalloc, memleak
-+@c   re_node_set_free dup asmalloc, memleak
-+@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c   re_set_fastmap ok
-+@c    tolower ok
-+@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c   towlower glocale
-+@c   _NL_CURRENT ok
-+@c (re_)free asmalloc, memleak
- The function @code{regcomp} ``compiles'' a regular expression into a
- data structure that you can use with @code{regexec} to match against a
- string.  The compiled regular expression format is designed for
-@@ -889,6 +1130,246 @@ unless the regular expression contains anchor characters (@samp{^} or
- @comment regex.h
- @comment POSIX.2
- @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
-+@c libc_lock_lock selfdeadlock, lockleak
-+@c re_search_internal
-+@c  re_string_allocate asmalloc, memleak
-+@c   re_string_construct_common dup ok
-+@c   re_string_realloc_buffers dup asmalloc, memleak
-+@c  match_ctx_init asmalloc, memleak
-+@c   (re_)malloc dup asmalloc, memleak
-+@c  re_string_byte_at ok
-+@c  re_string_first_byte dup ok
-+@c  check_matching
-+@c   re_string_cur_idx dup ok
-+@c   acquire_init_state_context dup asmalloc, memleak
-+@c    re_string_context_at ok
-+@c     re_string_byte_at dup ok
-+@c     bitset_contain ok
-+@c    re_acquire_state_context dup asmalloc, memleak
-+@c   check_subexp_matching_top asmalloc, memleak
-+@c    match_ctx_add_subtop asmalloc, memleak
-+@c     (re_)realloc dup asmalloc, memleak
-+@c     calloc dup asmalloc, memleak
-+@c   transit_state_bkref
-+@c    re_string_cur_idx dup ok
-+@c    re_string_context_at dup ok
-+@c    NOT_SATISFY_NEXT_CONSTRAINT ok
-+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
-+@c     re_string_get_buffer ok
-+@c     search_cur_bkref_entry ok
-+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c       re_string_realloc_buffers dup asmalloc, memleak
-+@c       (re_)realloc dup asmalloc, memleak
-+@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c       build_upper_buffer dup ok (glocale, but optimized)
-+@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c       re_string_translate_buffer dup ok
-+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
-+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
-+@c       (re_)realloc dup asmalloc, memleak
-+@c       re_string_context_at dup ok
-+@c       re_node_set_init_1 dup asmalloc, memleak
-+@c       check_arrival_expand_ecl asmalloc, memleak
-+@c        re_node_set_alloc dup asmalloc, memleak
-+@c        find_subexp_node ok
-+@c        re_node_set_merge dup asmalloc, memleak
-+@c        re_node_set_free dup asmalloc, memleak
-+@c        check_arrival_expand_ecl_sub asmalloc, memleak
-+@c         re_node_set_contains dup ok
-+@c         re_node_set_insert dup asmalloc, memleak
-+@c       re_node_set_free dup asmalloc, memleak
-+@c       re_node_set_init_copy dup asmalloc, memleak
-+@c       re_node_set_init_empty dup ok
-+@c       expand_bkref_cache asmalloc, memleak
-+@c        search_cur_bkref_entry dup ok
-+@c        re_node_set_contains dup ok
-+@c        re_node_set_init_1 dup asmalloc, memleak
-+@c        check_arrival_expand_ecl dup asmalloc, memleak
-+@c        re_node_set_merge dup asmalloc, memleak
-+@c        re_node_set_init_copy dup asmalloc, memleak
-+@c        re_node_set_insert dup asmalloc, memleak
-+@c        re_node_set_free dup asmalloc, memleak
-+@c        re_acquire_state asmalloc, memleak
-+@c         calc_state_hash dup ok
-+@c         re_node_set_compare dup ok
-+@c         create_ci_newstate asmalloc, memleak
-+@c          calloc dup asmalloc, memleak
-+@c          re_node_set_init_copy dup asmalloc, memleak
-+@c          (re_)free dup asmalloc, memleak
-+@c          register_state dup asmalloc, memleak
-+@c          free_state dup asmalloc, memleak
-+@c       re_acquire_state_context dup asmalloc, memleak
-+@c       re_node_set_merge dup asmalloc, memleak
-+@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
-+@c        re_node_set_init_empty dup ok
-+@c        check_node_accept_bytes (maybe glocale), ***wcscoll
-+@c         re_string_byte_at dup ok
-+@c         re_string_char_size_at dup ok
-+@c         re_string_elem_size_at (maybe glocale)
-+@c          _NL_CURRENT_WORD dup ok
-+@c          _NL_CURRENT dup ok
-+@c          auto findidx dup ok
-+@c         _NL_CURRENT_WORD dup ok
-+@c         _NL_CURRENT dup ok
-+@c         collseq_table_lookup dup ok
-+@c         find_collation_sequence_value (maybe glocale)
-+@c          _NL_CURRENT_WORD dup ok
-+@c          _NL_CURRENT dup ok
-+@c         auto findidx dup ok
-+@c         wcscoll ***wcscoll
-+@c        re_node_set_empty dup ok
-+@c        re_node_set_merge dup asmalloc, memleak
-+@c        re_node_set_free dup asmalloc, memleak
-+@c        re_node_set_insert dup asmalloc, memleak
-+@c        re_acquire_state dup asmalloc, memleak
-+@c        check_node_accept ok
-+@c         re_string_byte_at dup ok
-+@c         bitset_contain dup ok
-+@c         re_string_context_at dup ok
-+@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
-+@c      match_ctx_add_entry asmalloc, memleak
-+@c       (re_)realloc dup asmalloc, memleak
-+@c       (re_)free dup asmalloc, memleak
-+@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c     find_subexp_node dup
-+@c     calloc dup asmalloc, memleak
-+@c     check_arrival dup ***
-+@c     match_ctx_add_sublast asmalloc, memleak
-+@c      (re_)realloc dup asmalloc, memleak
-+@c    re_acquire_state_context dup asmalloc, memleak
-+@c    re_node_set_init_union asmalloc, memleak
-+@c     (re_)malloc dup asmalloc, memleak
-+@c     re_node_set_init_copy dup asmalloc, memleak
-+@c     re_node_set_init_empty dup ok
-+@c    re_node_set_free dup asmalloc, memleak
-+@c    check_subexp_matching_top dup asmalloc, memleak
-+@c   check_halt_state_context ok
-+@c    re_string_context_at dup ok
-+@c    check_halt_node_context ok
-+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
-+@c   re_string_eoi dup ok
-+@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c   transit_state
-+@c    transit_state_mb
-+@c     re_string_context_at dup ok
-+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
-+@c     check_node_accept_bytes dup
-+@c     re_string_cur_idx dup ok
-+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
-+@c     re_node_set_init_union dup asmalloc, memleak
-+@c     re_acquire_state_context dup asmalloc, memleak
-+@c    re_string_fetch_byte dup ok
-+@c    re_string_context_at dup ok
-+@c    build_trtable asmalloc, memleak
-+@c     (re_)malloc dup asmalloc, memleak
-+@c     group_nodes_into_DFAstates asmalloc, memleak
-+@c      bitset_empty dup ok
-+@c      bitset_set dup ok
-+@c      bitset_merge dup ok
-+@c      bitset_set_all ok
-+@c      bitset_clear ok
-+@c      bitset_contain dup ok
-+@c      bitset_copy ok
-+@c      re_node_set_init_copy dup asmalloc, memleak
-+@c      re_node_set_insert dup asmalloc, memleak
-+@c      re_node_set_init_1 dup asmalloc, memleak
-+@c      re_node_set_free dup asmalloc, memleak
-+@c     re_node_set_alloc dup asmalloc, memleak
-+@c     malloc dup asmalloc, memleak
-+@c     free dup asmalloc, memleak
-+@c     re_node_set_free dup asmalloc, memleak
-+@c     bitset_empty ok
-+@c     re_node_set_empty dup ok
-+@c     re_node_set_merge dup asmalloc, memleak
-+@c     re_acquire_state_context dup asmalloc, memleak
-+@c     bitset_merge ok
-+@c     calloc dup asmalloc, memleak
-+@c     bitset_contain dup ok
-+@c   merge_state_with_log
-+@c    re_string_cur_idx dup ok
-+@c    re_node_set_init_union dup asmalloc, memleak
-+@c    re_string_context_at dup ok
-+@c    re_node_set_free dup asmalloc, memleak
-+@c    check_subexp_matching_top asmalloc, memleak
-+@c     match_ctx_add_subtop dup asmalloc, memleak
-+@c    transit_state_bkref dup
-+@c   find_recover_state
-+@c    re_string_cur_idx dup ok
-+@c    re_string_skip_bytes dup ok
-+@c    merge_state_with_log dup
-+@c  check_halt_state_context dup
-+@c  prune_impossible_nodes
-+@c   (re_)malloc dup asmalloc, memleak
-+@c   sift_ctx_init ok
-+@c    re_node_set_init_empty dup ok
-+@c   sift_states_backward
-+@c    re_node_set_init_1 dup asmalloc, memleak
-+@c    update_cur_sifted_state asmalloc, memleak
-+@c     add_epsilon_src_nodes asmalloc, memleak
-+@c      re_acquire_state dup asmalloc, memleak
-+@c      re_node_set_alloc dup asmalloc, memleak
-+@c      re_node_set_merge dup asmalloc, memleak
-+@c      re_node_set_add_intersect asmalloc, memleak
-+@c       (re_)realloc dup asmalloc, memleak
-+@c     check_subexp_limits asmalloc, memleak
-+@c      sub_epsilon_src_nodes asmalloc, memleak
-+@c       re_node_set_init_empty dup ok
-+@c       re_node_set_contains dup ok
-+@c       re_node_set_add_intersect dup asmalloc, memleak
-+@c       re_node_set_free dup asmalloc, memleak
-+@c       re_node_set_remove_at dup ok
-+@c      re_node_set_contains dup ok
-+@c     re_acquire_state dup asmalloc, memleak
-+@c     sift_states_bkref asmalloc, memleak
-+@c      search_cur_bkref_entry dup ok
-+@c      check_dst_limits ok
-+@c       search_cur_bkref_entry dup ok
-+@c       check_dst_limits_calc_pos ok
-+@c        check_dst_limits_calc_pos_1 ok
-+@c      re_node_set_init_copy dup asmalloc, memleak
-+@c      re_node_set_insert dup asmalloc, memleak
-+@c      sift_states_backward dup
-+@c      merge_state_array dup asmalloc, memleak
-+@c      re_node_set_remove ok
-+@c       re_node_set_contains dup ok
-+@c       re_node_set_remove_at dup ok
-+@c      re_node_set_free dup asmalloc, memleak
-+@c    re_node_set_free dup asmalloc, memleak
-+@c    re_node_set_empty dup ok
-+@c    build_sifted_states
-+@c     sift_states_iter_mb
-+@c      check_node_accept_bytes dup
-+@c     check_node_accept dup ok
-+@c     check_dst_limits dup ok
-+@c     re_node_set_insert dup asmalloc, memleak
-+@c   re_node_set_free dup asmalloc, memleak
-+@c   check_halt_state_context dup ok
-+@c   merge_state_array asmalloc, memleak
-+@c    re_node_set_init_union dup asmalloc, memleak
-+@c    re_acquire_state dup asmalloc, memleak
-+@c    re_node_set_free dup asmalloc, memleak
-+@c   (re_)free dup asmalloc, memleak
-+@c  set_regs asmalloc, memleak
-+@c   (re_)malloc dup asmalloc, memleak
-+@c   re_node_set_init_empty dup ok
-+@c   free_fail_stack_return asmalloc, memleak
-+@c    re_node_set_free dup asmalloc, memleak
-+@c    (re_)free dup asmalloc, memleak
-+@c   update_regs ok
-+@c   re_node_set_free dup asmalloc, memleak
-+@c   pop_fail_stack asmalloc, memleak
-+@c    re_node_set_free dup asmalloc, memleak
-+@c    (re_)free dup asmalloc, memleak
-+@c   (re_)free dup asmalloc, memleak
-+@c  (re_)free dup asmalloc, memleak
-+@c  match_ctx_free asmalloc, memleak
-+@c   match_ctx_clean asmalloc, memleak
-+@c    (re_)free dup asmalloc, memleak
-+@c   (re_)free dup asmalloc, memleak
-+@c  re_string_destruct dup asmalloc, memleak
-+@c libc_lock_unlock lockleak
- This function tries to match the compiled regular expression
- @code{*@var{compiled}} against @var{string}.
- 
-@@ -1051,6 +1532,9 @@ free the storage it uses by calling @code{regfree}.
- @comment regex.h
- @comment POSIX.2
- @deftypefun void regfree (regex_t *@var{compiled})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
-+@c (re_)free dup asmalloc, memleak
-+@c free_dfa_content dup asmalloc, memleak
- Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
- points to.  This includes various internal fields of the @code{regex_t}
- structure that aren't documented in this manual.
diff --git a/patches/wip-manual-document-mt-safety-pattern.patch b/patches/wip-manual-document-mt-safety-pattern.patch
index 86b5d47..b21a30e 100644
--- a/patches/wip-manual-document-mt-safety-pattern.patch
+++ b/patches/wip-manual-document-mt-safety-pattern.patch
@@ -1,5 +1,5 @@
 Bottom: 15a8300141ee19f4516dae06220c3f742c3d7c85
-Top:    43752d35196008e73c5b6234ceb965ba6b80c8ef
+Top:    97c391126dfad97118d4c685597254faf62e03f0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 03:02:58 -0300
 
@@ -13,17 +13,515 @@ for ChangeLog
 ---
 
 diff --git a/manual/pattern.texi b/manual/pattern.texi
-index 1966f3f..376566e 100644
+index 1966f3f..4b66204 100644
 --- a/manual/pattern.texi
 +++ b/manual/pattern.texi
-@@ -736,6 +736,10 @@ expression into it by calling @code{regcomp}.
+@@ -736,6 +736,251 @@ expression into it by calling @code{regcomp}.
  @comment regex.h
  @comment POSIX.2
  @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
-+@c (re_)malloc
-+@c re_compile_internal
-+@c re_compile_fastmap
-+@c (re_)free
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c All of the issues have to do with memory allocation and multi-byte 
++@c character handling present in the input string, or implied by ranges
++@c or inverted character classes.
++@c (re_)malloc asmalloc, memleak
++@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
++@c    callers that don't zero the buffer)
++@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   (re_)malloc asmalloc, memleak
++@c   calloc asmalloc, memleak
++@c   _NL_CURRENT ok
++@c   _NL_CURRENT_WORD ok
++@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c  libc_lock_init ok
++@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   re_string_construct_common ok
++@c   re_string_realloc_buffers asmalloc, memleak
++@c    (re_)realloc dup asmalloc, memleak
++@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    isascii ok
++@c    mbsinit ok
++@c    toupper ok
++@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    iswlower glocale
++@c    towupper glocale
++@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    (re_)malloc dup asmalloc, memleak
++@c   build_upper_buffer ok (glocale, but optimized)
++@c    islower ok
++@c    toupper ok
++@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   re_string_translate_buffer ok
++@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    peek_token ok (maybe glocale)
++@c     re_string_eoi ok
++@c     re_string_peek_byte ok
++@c     re_string_cur_idx ok
++@c     re_string_length ok
++@c     re_string_peek_byte_case ok (maybe glocale)
++@c      re_string_peek_byte dup ok
++@c      re_string_is_single_byte_char ok
++@c      isascii ok
++@c      re_string_peek_byte dup ok
++@c     re_string_wchar_at ok
++@c     re_string_skip_bytes ok
++@c    re_string_skip_bytes dup ok
++@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c      create_token_tree dup asmalloc, memleak
++@c      re_string_eoi dup ok
++@c      re_string_first_byte ok
++@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c      create_tree dup asmalloc, memleak
++@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       postorder() asmalloc, memleak
++@c        free_tree asmalloc, memleak
++@c         free_token dup asmalloc, memleak
++@c       create_tree dup asmalloc, memleak
++@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       _NL_CURRENT dup ok
++@c       _NL_CURRENT_WORD dup ok
++@c       calloc dup asmalloc, memleak
++@c       (re_)free dup asmalloc, memleak
++@c       peek_token_bracket ok
++@c        re_string_eoi dup ok
++@c        re_string_peek_byte dup ok
++@c        re_string_first_byte dup ok
++@c        re_string_cur_idx dup ok
++@c        re_string_length dup ok
++@c        re_string_skip_bytes dup ok
++@c       bitset_set ok
++@c       re_string_skip_bytes ok
++@c       parse_bracket_element ok (maybe glocale)
++@c        re_string_char_size_at ok
++@c        re_string_wchar_at dup ok
++@c        re_string_skip_bytes dup ok
++@c        parse_bracket_symbol ok (maybe glocale)
++@c         re_string_eoi dup ok
++@c         re_string_fetch_byte_case ok (maybe glocale)
++@c          re_string_fetch_byte ok
++@c          re_string_first_byte dup ok
++@c          isascii ok
++@c          re_string_char_size_at dup ok
++@c          re_string_skip_bytes dup ok
++@c         re_string_fetch_byte dup ok
++@c         re_string_peek_byte dup ok
++@c         re_string_skip_bytes dup ok
++@c        peek_token_bracket dup
++@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c         collseq_table_lookup ok
++@c         auto seek_collating_symbol_entry dup ok
++@c        (re_)realloc dup asmalloc, memleak
++@c        collseq_table_lookup dup ok
++@c       bitset_set dup ok
++@c       (re_)realloc dup asmalloc, memleak
++@c       build_equiv_class (maybe glocale), asmalloc, memleak
++@c        _NL_CURRENT ok
++@c        auto findidx ok
++@c        bitset_set dup ok
++@c        (re_)realloc dup asmalloc, memleak
++@c       auto build_collating_symbol asmalloc, memleak
++@c        auto seek_collating_symbol_entry ok
++@c        bitset_set dup ok
++@c        (re_)realloc dup asmalloc, memleak
++@c       build_charclass (maybe glocale), asmalloc, memleak
++@c        (re_)realloc dup asmalloc, memleak
++@c        bitset_set dup ok
++@c        isalnum ok
++@c        iscntrl ok
++@c        isspace ok
++@c        isalpha ok
++@c        isdigit ok
++@c        isprint ok
++@c        isupper ok
++@c        isblank ok
++@c        isgraph ok
++@c        ispunct ok
++@c        isxdigit ok
++@c       bitset_not ok
++@c       bitset_mask ok
++@c       create_token_tree dup asmalloc, memleak
++@c       create_tree dup asmalloc, memleak
++@c       free_charset dup asmalloc, memleak
++@c      init_word_char (maybe glocale)
++@c       isalnum ok
++@c      build_charclass_op (maybe glocale), asmalloc, memleak
++@c       calloc dup asmalloc, memleak
++@c       build_charclass dup (maybe glocale), asmalloc, memleak
++@c       (re_)free dup asmalloc, memleak
++@c       free_charset dup asmalloc, memleak
++@c       bitset_set dup ok
++@c       bitset_not dup ok
++@c       bitset_mask dup ok
++@c       create_token_tree dup asmalloc, memleak
++@c       create_tree dup asmalloc, memleak
++@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       re_string_cur_idx dup ok
++@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       re_string_set_index ok
++@c       postorder() asmalloc, memleak
++@c        free_tree dup asmalloc, memleak
++@c        mark_opt_subexp ok
++@c       duplicate_tree asmalloc, memleak
++@c        create_token_tree dup asmalloc, memleak
++@c       create_tree dup asmalloc, memleak
++@c     postorder() asmalloc, memleak
++@c      free_tree dup asmalloc, memleak
++@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    create_tree dup asmalloc, memleak
++@c   create_tree asmalloc, memleak
++@c    create_token_tree asmalloc, memleak
++@c     (re_)malloc dup asmalloc, memleak
++@c  analyze asmalloc, memleak
++@c   (re_)malloc dup asmalloc, memleak
++@c   preorder() asmalloc, memleak
++@c    optimize_subexps ok
++@c    calc_next ok
++@c    link_nfa_nodes asmalloc, memleak
++@c     re_node_set_init_1 asmalloc, memleak
++@c      (re_)malloc dup asmalloc, memleak
++@c     re_node_set_init_2 asmalloc, memleak
++@c      (re_)malloc dup asmalloc, memleak
++@c   postorder() asmalloc, memleak
++@c    lower_subexps asmalloc, memleak
++@c     lower_subexp asmalloc, memleak
++@c      create_tree dup asmalloc, memleak
++@c    calc_first asmalloc, memleak
++@c     re_dfa_add_node asmalloc, memleak
++@c      (re_)realloc dup asmalloc, memleak
++@c      re_node_set_init_empty ok
++@c   calc_eclosure asmalloc, memleak
++@c    calc_eclosure_iter asmalloc, memleak
++@c     re_node_set_alloc asmalloc, memleak
++@c      (re_)malloc dup asmalloc, memleak
++@c     duplicate_node_closure asmalloc, memleak
++@c      re_node_set_empty ok
++@c      duplicate_node asmalloc, memleak
++@c       re_dfa_add_node dup asmalloc, memleak
++@c      re_node_set_insert asmalloc, memleak
++@c       (re_)realloc dup asmalloc, memleak
++@c      search_duplicated_node ok
++@c     re_node_set_merge asmalloc, memleak
++@c      (re_)realloc dup asmalloc, memleak
++@c     re_node_set_free asmalloc, memleak
++@c      (re_)free dup asmalloc, memleak
++@c     re_node_set_insert dup asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c   calc_inveclosure asmalloc, memleak
++@c    re_node_set_init_empty dup ok
++@c    re_node_set_insert_last asmalloc, memleak
++@c     (re_)realloc dup asmalloc, memleak
++@c  optimize_utf8 ok
++@c  create_initial_state asmalloc, memleak
++@c   re_node_set_init_copy asmalloc, memleak
++@c    (re_)malloc dup asmalloc, memleak
++@c    re_node_set_init_empty dup ok
++@c   re_node_set_contains ok
++@c   re_node_set_merge dup asmalloc, memleak
++@c   re_acquire_state_context asmalloc, memleak
++@c    calc_state_hash ok
++@c    re_node_set_compare ok
++@c    create_cd_newstate asmalloc, memleak
++@c     calloc dup asmalloc, memleak
++@c     re_node_set_init_copy dup asmalloc, memleak
++@c     (re_)free dup asmalloc, memleak
++@c     free_state asmalloc, memleak
++@c      re_node_set_free dup asmalloc, memleak
++@c      (re_)free dup asmalloc, memleak
++@c     NOT_SATISFY_PREV_CONSTRAINT ok
++@c     re_node_set_remove_at ok
++@c     register_state asmalloc, memleak
++@c      re_node_set_alloc dup asmalloc, memleak
++@c      re_node_set_insert_last dup asmalloc, memleak
++@c      (re_)realloc dup asmalloc, memleak
++@c   re_node_set_free dup asmalloc, memleak
++@c  free_workarea_compile asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  re_string_destruct asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  free_dfa_content asmalloc, memleak
++@c   free_token asmalloc, memleak
++@c    free_charset asmalloc, memleak
++@c     (re_)free dup asmalloc, memleak
++@c    (re_)free dup asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c   re_node_set_free dup asmalloc, memleak
++@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   re_set_fastmap ok
++@c    tolower ok
++@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   towlower glocale
++@c   _NL_CURRENT ok
++@c (re_)free asmalloc, memleak
  The function @code{regcomp} ``compiles'' a regular expression into a
  data structure that you can use with @code{regexec} to match against a
  string.  The compiled regular expression format is designed for
+@@ -885,6 +1130,246 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @comment regex.h
+ @comment POSIX.2
+ @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
++@c libc_lock_lock selfdeadlock, lockleak
++@c re_search_internal
++@c  re_string_allocate asmalloc, memleak
++@c   re_string_construct_common dup ok
++@c   re_string_realloc_buffers dup asmalloc, memleak
++@c  match_ctx_init asmalloc, memleak
++@c   (re_)malloc dup asmalloc, memleak
++@c  re_string_byte_at ok
++@c  re_string_first_byte dup ok
++@c  check_matching
++@c   re_string_cur_idx dup ok
++@c   acquire_init_state_context dup asmalloc, memleak
++@c    re_string_context_at ok
++@c     re_string_byte_at dup ok
++@c     bitset_contain ok
++@c    re_acquire_state_context dup asmalloc, memleak
++@c   check_subexp_matching_top asmalloc, memleak
++@c    match_ctx_add_subtop asmalloc, memleak
++@c     (re_)realloc dup asmalloc, memleak
++@c     calloc dup asmalloc, memleak
++@c   transit_state_bkref
++@c    re_string_cur_idx dup ok
++@c    re_string_context_at dup ok
++@c    NOT_SATISFY_NEXT_CONSTRAINT ok
++@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c     re_string_get_buffer ok
++@c     search_cur_bkref_entry ok
++@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       re_string_realloc_buffers dup asmalloc, memleak
++@c       (re_)realloc dup asmalloc, memleak
++@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       build_upper_buffer dup ok (glocale, but optimized)
++@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       re_string_translate_buffer dup ok
++@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c       (re_)realloc dup asmalloc, memleak
++@c       re_string_context_at dup ok
++@c       re_node_set_init_1 dup asmalloc, memleak
++@c       check_arrival_expand_ecl asmalloc, memleak
++@c        re_node_set_alloc dup asmalloc, memleak
++@c        find_subexp_node ok
++@c        re_node_set_merge dup asmalloc, memleak
++@c        re_node_set_free dup asmalloc, memleak
++@c        check_arrival_expand_ecl_sub asmalloc, memleak
++@c         re_node_set_contains dup ok
++@c         re_node_set_insert dup asmalloc, memleak
++@c       re_node_set_free dup asmalloc, memleak
++@c       re_node_set_init_copy dup asmalloc, memleak
++@c       re_node_set_init_empty dup ok
++@c       expand_bkref_cache asmalloc, memleak
++@c        search_cur_bkref_entry dup ok
++@c        re_node_set_contains dup ok
++@c        re_node_set_init_1 dup asmalloc, memleak
++@c        check_arrival_expand_ecl dup asmalloc, memleak
++@c        re_node_set_merge dup asmalloc, memleak
++@c        re_node_set_init_copy dup asmalloc, memleak
++@c        re_node_set_insert dup asmalloc, memleak
++@c        re_node_set_free dup asmalloc, memleak
++@c        re_acquire_state asmalloc, memleak
++@c         calc_state_hash dup ok
++@c         re_node_set_compare dup ok
++@c         create_ci_newstate asmalloc, memleak
++@c          calloc dup asmalloc, memleak
++@c          re_node_set_init_copy dup asmalloc, memleak
++@c          (re_)free dup asmalloc, memleak
++@c          register_state dup asmalloc, memleak
++@c          free_state dup asmalloc, memleak
++@c       re_acquire_state_context dup asmalloc, memleak
++@c       re_node_set_merge dup asmalloc, memleak
++@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
++@c        re_node_set_init_empty dup ok
++@c        check_node_accept_bytes (maybe glocale), ***wcscoll
++@c         re_string_byte_at dup ok
++@c         re_string_char_size_at dup ok
++@c         re_string_elem_size_at (maybe glocale)
++@c          _NL_CURRENT_WORD dup ok
++@c          _NL_CURRENT dup ok
++@c          auto findidx dup ok
++@c         _NL_CURRENT_WORD dup ok
++@c         _NL_CURRENT dup ok
++@c         collseq_table_lookup dup ok
++@c         find_collation_sequence_value (maybe glocale)
++@c          _NL_CURRENT_WORD dup ok
++@c          _NL_CURRENT dup ok
++@c         auto findidx dup ok
++@c         wcscoll ***wcscoll
++@c        re_node_set_empty dup ok
++@c        re_node_set_merge dup asmalloc, memleak
++@c        re_node_set_free dup asmalloc, memleak
++@c        re_node_set_insert dup asmalloc, memleak
++@c        re_acquire_state dup asmalloc, memleak
++@c        check_node_accept ok
++@c         re_string_byte_at dup ok
++@c         bitset_contain dup ok
++@c         re_string_context_at dup ok
++@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
++@c      match_ctx_add_entry asmalloc, memleak
++@c       (re_)realloc dup asmalloc, memleak
++@c       (re_)free dup asmalloc, memleak
++@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c     find_subexp_node dup
++@c     calloc dup asmalloc, memleak
++@c     check_arrival dup ***
++@c     match_ctx_add_sublast asmalloc, memleak
++@c      (re_)realloc dup asmalloc, memleak
++@c    re_acquire_state_context dup asmalloc, memleak
++@c    re_node_set_init_union asmalloc, memleak
++@c     (re_)malloc dup asmalloc, memleak
++@c     re_node_set_init_copy dup asmalloc, memleak
++@c     re_node_set_init_empty dup ok
++@c    re_node_set_free dup asmalloc, memleak
++@c    check_subexp_matching_top dup asmalloc, memleak
++@c   check_halt_state_context ok
++@c    re_string_context_at dup ok
++@c    check_halt_node_context ok
++@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
++@c   re_string_eoi dup ok
++@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   transit_state
++@c    transit_state_mb
++@c     re_string_context_at dup ok
++@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
++@c     check_node_accept_bytes dup
++@c     re_string_cur_idx dup ok
++@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c     re_node_set_init_union dup asmalloc, memleak
++@c     re_acquire_state_context dup asmalloc, memleak
++@c    re_string_fetch_byte dup ok
++@c    re_string_context_at dup ok
++@c    build_trtable asmalloc, memleak
++@c     (re_)malloc dup asmalloc, memleak
++@c     group_nodes_into_DFAstates asmalloc, memleak
++@c      bitset_empty dup ok
++@c      bitset_set dup ok
++@c      bitset_merge dup ok
++@c      bitset_set_all ok
++@c      bitset_clear ok
++@c      bitset_contain dup ok
++@c      bitset_copy ok
++@c      re_node_set_init_copy dup asmalloc, memleak
++@c      re_node_set_insert dup asmalloc, memleak
++@c      re_node_set_init_1 dup asmalloc, memleak
++@c      re_node_set_free dup asmalloc, memleak
++@c     re_node_set_alloc dup asmalloc, memleak
++@c     malloc dup asmalloc, memleak
++@c     free dup asmalloc, memleak
++@c     re_node_set_free dup asmalloc, memleak
++@c     bitset_empty ok
++@c     re_node_set_empty dup ok
++@c     re_node_set_merge dup asmalloc, memleak
++@c     re_acquire_state_context dup asmalloc, memleak
++@c     bitset_merge ok
++@c     calloc dup asmalloc, memleak
++@c     bitset_contain dup ok
++@c   merge_state_with_log
++@c    re_string_cur_idx dup ok
++@c    re_node_set_init_union dup asmalloc, memleak
++@c    re_string_context_at dup ok
++@c    re_node_set_free dup asmalloc, memleak
++@c    check_subexp_matching_top asmalloc, memleak
++@c     match_ctx_add_subtop dup asmalloc, memleak
++@c    transit_state_bkref dup
++@c   find_recover_state
++@c    re_string_cur_idx dup ok
++@c    re_string_skip_bytes dup ok
++@c    merge_state_with_log dup
++@c  check_halt_state_context dup
++@c  prune_impossible_nodes
++@c   (re_)malloc dup asmalloc, memleak
++@c   sift_ctx_init ok
++@c    re_node_set_init_empty dup ok
++@c   sift_states_backward
++@c    re_node_set_init_1 dup asmalloc, memleak
++@c    update_cur_sifted_state asmalloc, memleak
++@c     add_epsilon_src_nodes asmalloc, memleak
++@c      re_acquire_state dup asmalloc, memleak
++@c      re_node_set_alloc dup asmalloc, memleak
++@c      re_node_set_merge dup asmalloc, memleak
++@c      re_node_set_add_intersect asmalloc, memleak
++@c       (re_)realloc dup asmalloc, memleak
++@c     check_subexp_limits asmalloc, memleak
++@c      sub_epsilon_src_nodes asmalloc, memleak
++@c       re_node_set_init_empty dup ok
++@c       re_node_set_contains dup ok
++@c       re_node_set_add_intersect dup asmalloc, memleak
++@c       re_node_set_free dup asmalloc, memleak
++@c       re_node_set_remove_at dup ok
++@c      re_node_set_contains dup ok
++@c     re_acquire_state dup asmalloc, memleak
++@c     sift_states_bkref asmalloc, memleak
++@c      search_cur_bkref_entry dup ok
++@c      check_dst_limits ok
++@c       search_cur_bkref_entry dup ok
++@c       check_dst_limits_calc_pos ok
++@c        check_dst_limits_calc_pos_1 ok
++@c      re_node_set_init_copy dup asmalloc, memleak
++@c      re_node_set_insert dup asmalloc, memleak
++@c      sift_states_backward dup
++@c      merge_state_array dup asmalloc, memleak
++@c      re_node_set_remove ok
++@c       re_node_set_contains dup ok
++@c       re_node_set_remove_at dup ok
++@c      re_node_set_free dup asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c    re_node_set_empty dup ok
++@c    build_sifted_states
++@c     sift_states_iter_mb
++@c      check_node_accept_bytes dup
++@c     check_node_accept dup ok
++@c     check_dst_limits dup ok
++@c     re_node_set_insert dup asmalloc, memleak
++@c   re_node_set_free dup asmalloc, memleak
++@c   check_halt_state_context dup ok
++@c   merge_state_array asmalloc, memleak
++@c    re_node_set_init_union dup asmalloc, memleak
++@c    re_acquire_state dup asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  set_regs asmalloc, memleak
++@c   (re_)malloc dup asmalloc, memleak
++@c   re_node_set_init_empty dup ok
++@c   free_fail_stack_return asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c    (re_)free dup asmalloc, memleak
++@c   update_regs ok
++@c   re_node_set_free dup asmalloc, memleak
++@c   pop_fail_stack asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c    (re_)free dup asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  (re_)free dup asmalloc, memleak
++@c  match_ctx_free asmalloc, memleak
++@c   match_ctx_clean asmalloc, memleak
++@c    (re_)free dup asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  re_string_destruct dup asmalloc, memleak
++@c libc_lock_unlock lockleak
+ This function tries to match the compiled regular expression
+ @code{*@var{compiled}} against @var{string}.
+ 
+@@ -1047,6 +1532,9 @@ free the storage it uses by calling @code{regfree}.
+ @comment regex.h
+ @comment POSIX.2
+ @deftypefun void regfree (regex_t *@var{compiled})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
++@c (re_)free dup asmalloc, memleak
++@c free_dfa_content dup asmalloc, memleak
+ Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
+ points to.  This includes various internal fields of the @code{regex_t}
+ structure that aren't documented in this manual.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b7f5fb7fb8aab1cde840ccc066ece2c9d0aac5de

commit b7f5fb7fb8aab1cde840ccc066ece2c9d0aac5de
Merge: 087730a ac662fe b37401d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:19:22 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=087730a768079feaa60e4bd972d9a25db4a6bf77

commit 087730a768079feaa60e4bd972d9a25db4a6bf77
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:19:22 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 45dcd5d..533e51d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 57982356a25c9317f2b934db8d7b81e8d9ac02da
-Head: e8af539713392c27e540158b90c5c8c57a34dde0
+Previous: ac662fe6d252a3d5739fc99789ddeb4816704ba0
+Head: b37401d04453d34fc6314fdc54606a46e8fb2627
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -30,5 +30,6 @@ Applied:
   wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
   wip-manual-document-mt-safety-locale.patch: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
   wip-manual-document-mt-safety-pattern.patch: e8af539713392c27e540158b90c5c8c57a34dde0
+  refresh-temp: b37401d04453d34fc6314fdc54606a46e8fb2627
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..5185196
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,526 @@
+Bottom: 43752d35196008e73c5b6234ceb965ba6b80c8ef
+Top:    97c391126dfad97118d4c685597254faf62e03f0
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 12:19:21 -0300
+
+Refresh of wip-manual-document-mt-safety-pattern.patch
+
+---
+
+diff --git a/manual/pattern.texi b/manual/pattern.texi
+index 376566e..4b66204 100644
+--- a/manual/pattern.texi
++++ b/manual/pattern.texi
+@@ -736,10 +736,251 @@ expression into it by calling @code{regcomp}.
+ @comment regex.h
+ @comment POSIX.2
+ @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
+-@c (re_)malloc
+-@c re_compile_internal
+-@c re_compile_fastmap
+-@c (re_)free
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c All of the issues have to do with memory allocation and multi-byte 
++@c character handling present in the input string, or implied by ranges
++@c or inverted character classes.
++@c (re_)malloc asmalloc, memleak
++@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
++@c    callers that don't zero the buffer)
++@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   (re_)malloc asmalloc, memleak
++@c   calloc asmalloc, memleak
++@c   _NL_CURRENT ok
++@c   _NL_CURRENT_WORD ok
++@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c  libc_lock_init ok
++@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   re_string_construct_common ok
++@c   re_string_realloc_buffers asmalloc, memleak
++@c    (re_)realloc dup asmalloc, memleak
++@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    isascii ok
++@c    mbsinit ok
++@c    toupper ok
++@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    iswlower glocale
++@c    towupper glocale
++@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    (re_)malloc dup asmalloc, memleak
++@c   build_upper_buffer ok (glocale, but optimized)
++@c    islower ok
++@c    toupper ok
++@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   re_string_translate_buffer ok
++@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    peek_token ok (maybe glocale)
++@c     re_string_eoi ok
++@c     re_string_peek_byte ok
++@c     re_string_cur_idx ok
++@c     re_string_length ok
++@c     re_string_peek_byte_case ok (maybe glocale)
++@c      re_string_peek_byte dup ok
++@c      re_string_is_single_byte_char ok
++@c      isascii ok
++@c      re_string_peek_byte dup ok
++@c     re_string_wchar_at ok
++@c     re_string_skip_bytes ok
++@c    re_string_skip_bytes dup ok
++@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c      create_token_tree dup asmalloc, memleak
++@c      re_string_eoi dup ok
++@c      re_string_first_byte ok
++@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c      create_tree dup asmalloc, memleak
++@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       postorder() asmalloc, memleak
++@c        free_tree asmalloc, memleak
++@c         free_token dup asmalloc, memleak
++@c       create_tree dup asmalloc, memleak
++@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       _NL_CURRENT dup ok
++@c       _NL_CURRENT_WORD dup ok
++@c       calloc dup asmalloc, memleak
++@c       (re_)free dup asmalloc, memleak
++@c       peek_token_bracket ok
++@c        re_string_eoi dup ok
++@c        re_string_peek_byte dup ok
++@c        re_string_first_byte dup ok
++@c        re_string_cur_idx dup ok
++@c        re_string_length dup ok
++@c        re_string_skip_bytes dup ok
++@c       bitset_set ok
++@c       re_string_skip_bytes ok
++@c       parse_bracket_element ok (maybe glocale)
++@c        re_string_char_size_at ok
++@c        re_string_wchar_at dup ok
++@c        re_string_skip_bytes dup ok
++@c        parse_bracket_symbol ok (maybe glocale)
++@c         re_string_eoi dup ok
++@c         re_string_fetch_byte_case ok (maybe glocale)
++@c          re_string_fetch_byte ok
++@c          re_string_first_byte dup ok
++@c          isascii ok
++@c          re_string_char_size_at dup ok
++@c          re_string_skip_bytes dup ok
++@c         re_string_fetch_byte dup ok
++@c         re_string_peek_byte dup ok
++@c         re_string_skip_bytes dup ok
++@c        peek_token_bracket dup
++@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c         collseq_table_lookup ok
++@c         auto seek_collating_symbol_entry dup ok
++@c        (re_)realloc dup asmalloc, memleak
++@c        collseq_table_lookup dup ok
++@c       bitset_set dup ok
++@c       (re_)realloc dup asmalloc, memleak
++@c       build_equiv_class (maybe glocale), asmalloc, memleak
++@c        _NL_CURRENT ok
++@c        auto findidx ok
++@c        bitset_set dup ok
++@c        (re_)realloc dup asmalloc, memleak
++@c       auto build_collating_symbol asmalloc, memleak
++@c        auto seek_collating_symbol_entry ok
++@c        bitset_set dup ok
++@c        (re_)realloc dup asmalloc, memleak
++@c       build_charclass (maybe glocale), asmalloc, memleak
++@c        (re_)realloc dup asmalloc, memleak
++@c        bitset_set dup ok
++@c        isalnum ok
++@c        iscntrl ok
++@c        isspace ok
++@c        isalpha ok
++@c        isdigit ok
++@c        isprint ok
++@c        isupper ok
++@c        isblank ok
++@c        isgraph ok
++@c        ispunct ok
++@c        isxdigit ok
++@c       bitset_not ok
++@c       bitset_mask ok
++@c       create_token_tree dup asmalloc, memleak
++@c       create_tree dup asmalloc, memleak
++@c       free_charset dup asmalloc, memleak
++@c      init_word_char (maybe glocale)
++@c       isalnum ok
++@c      build_charclass_op (maybe glocale), asmalloc, memleak
++@c       calloc dup asmalloc, memleak
++@c       build_charclass dup (maybe glocale), asmalloc, memleak
++@c       (re_)free dup asmalloc, memleak
++@c       free_charset dup asmalloc, memleak
++@c       bitset_set dup ok
++@c       bitset_not dup ok
++@c       bitset_mask dup ok
++@c       create_token_tree dup asmalloc, memleak
++@c       create_tree dup asmalloc, memleak
++@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       re_string_cur_idx dup ok
++@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       re_string_set_index ok
++@c       postorder() asmalloc, memleak
++@c        free_tree dup asmalloc, memleak
++@c        mark_opt_subexp ok
++@c       duplicate_tree asmalloc, memleak
++@c        create_token_tree dup asmalloc, memleak
++@c       create_tree dup asmalloc, memleak
++@c     postorder() asmalloc, memleak
++@c      free_tree dup asmalloc, memleak
++@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c    create_tree dup asmalloc, memleak
++@c   create_tree asmalloc, memleak
++@c    create_token_tree asmalloc, memleak
++@c     (re_)malloc dup asmalloc, memleak
++@c  analyze asmalloc, memleak
++@c   (re_)malloc dup asmalloc, memleak
++@c   preorder() asmalloc, memleak
++@c    optimize_subexps ok
++@c    calc_next ok
++@c    link_nfa_nodes asmalloc, memleak
++@c     re_node_set_init_1 asmalloc, memleak
++@c      (re_)malloc dup asmalloc, memleak
++@c     re_node_set_init_2 asmalloc, memleak
++@c      (re_)malloc dup asmalloc, memleak
++@c   postorder() asmalloc, memleak
++@c    lower_subexps asmalloc, memleak
++@c     lower_subexp asmalloc, memleak
++@c      create_tree dup asmalloc, memleak
++@c    calc_first asmalloc, memleak
++@c     re_dfa_add_node asmalloc, memleak
++@c      (re_)realloc dup asmalloc, memleak
++@c      re_node_set_init_empty ok
++@c   calc_eclosure asmalloc, memleak
++@c    calc_eclosure_iter asmalloc, memleak
++@c     re_node_set_alloc asmalloc, memleak
++@c      (re_)malloc dup asmalloc, memleak
++@c     duplicate_node_closure asmalloc, memleak
++@c      re_node_set_empty ok
++@c      duplicate_node asmalloc, memleak
++@c       re_dfa_add_node dup asmalloc, memleak
++@c      re_node_set_insert asmalloc, memleak
++@c       (re_)realloc dup asmalloc, memleak
++@c      search_duplicated_node ok
++@c     re_node_set_merge asmalloc, memleak
++@c      (re_)realloc dup asmalloc, memleak
++@c     re_node_set_free asmalloc, memleak
++@c      (re_)free dup asmalloc, memleak
++@c     re_node_set_insert dup asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c   calc_inveclosure asmalloc, memleak
++@c    re_node_set_init_empty dup ok
++@c    re_node_set_insert_last asmalloc, memleak
++@c     (re_)realloc dup asmalloc, memleak
++@c  optimize_utf8 ok
++@c  create_initial_state asmalloc, memleak
++@c   re_node_set_init_copy asmalloc, memleak
++@c    (re_)malloc dup asmalloc, memleak
++@c    re_node_set_init_empty dup ok
++@c   re_node_set_contains ok
++@c   re_node_set_merge dup asmalloc, memleak
++@c   re_acquire_state_context asmalloc, memleak
++@c    calc_state_hash ok
++@c    re_node_set_compare ok
++@c    create_cd_newstate asmalloc, memleak
++@c     calloc dup asmalloc, memleak
++@c     re_node_set_init_copy dup asmalloc, memleak
++@c     (re_)free dup asmalloc, memleak
++@c     free_state asmalloc, memleak
++@c      re_node_set_free dup asmalloc, memleak
++@c      (re_)free dup asmalloc, memleak
++@c     NOT_SATISFY_PREV_CONSTRAINT ok
++@c     re_node_set_remove_at ok
++@c     register_state asmalloc, memleak
++@c      re_node_set_alloc dup asmalloc, memleak
++@c      re_node_set_insert_last dup asmalloc, memleak
++@c      (re_)realloc dup asmalloc, memleak
++@c   re_node_set_free dup asmalloc, memleak
++@c  free_workarea_compile asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  re_string_destruct asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  free_dfa_content asmalloc, memleak
++@c   free_token asmalloc, memleak
++@c    free_charset asmalloc, memleak
++@c     (re_)free dup asmalloc, memleak
++@c    (re_)free dup asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c   re_node_set_free dup asmalloc, memleak
++@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   re_set_fastmap ok
++@c    tolower ok
++@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   towlower glocale
++@c   _NL_CURRENT ok
++@c (re_)free asmalloc, memleak
+ The function @code{regcomp} ``compiles'' a regular expression into a
+ data structure that you can use with @code{regexec} to match against a
+ string.  The compiled regular expression format is designed for
+@@ -889,6 +1130,246 @@ unless the regular expression contains anchor characters (@samp{^} or
+ @comment regex.h
+ @comment POSIX.2
+ @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
++@c libc_lock_lock selfdeadlock, lockleak
++@c re_search_internal
++@c  re_string_allocate asmalloc, memleak
++@c   re_string_construct_common dup ok
++@c   re_string_realloc_buffers dup asmalloc, memleak
++@c  match_ctx_init asmalloc, memleak
++@c   (re_)malloc dup asmalloc, memleak
++@c  re_string_byte_at ok
++@c  re_string_first_byte dup ok
++@c  check_matching
++@c   re_string_cur_idx dup ok
++@c   acquire_init_state_context dup asmalloc, memleak
++@c    re_string_context_at ok
++@c     re_string_byte_at dup ok
++@c     bitset_contain ok
++@c    re_acquire_state_context dup asmalloc, memleak
++@c   check_subexp_matching_top asmalloc, memleak
++@c    match_ctx_add_subtop asmalloc, memleak
++@c     (re_)realloc dup asmalloc, memleak
++@c     calloc dup asmalloc, memleak
++@c   transit_state_bkref
++@c    re_string_cur_idx dup ok
++@c    re_string_context_at dup ok
++@c    NOT_SATISFY_NEXT_CONSTRAINT ok
++@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c     re_string_get_buffer ok
++@c     search_cur_bkref_entry ok
++@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       re_string_realloc_buffers dup asmalloc, memleak
++@c       (re_)realloc dup asmalloc, memleak
++@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       build_upper_buffer dup ok (glocale, but optimized)
++@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c       re_string_translate_buffer dup ok
++@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
++@c       (re_)realloc dup asmalloc, memleak
++@c       re_string_context_at dup ok
++@c       re_node_set_init_1 dup asmalloc, memleak
++@c       check_arrival_expand_ecl asmalloc, memleak
++@c        re_node_set_alloc dup asmalloc, memleak
++@c        find_subexp_node ok
++@c        re_node_set_merge dup asmalloc, memleak
++@c        re_node_set_free dup asmalloc, memleak
++@c        check_arrival_expand_ecl_sub asmalloc, memleak
++@c         re_node_set_contains dup ok
++@c         re_node_set_insert dup asmalloc, memleak
++@c       re_node_set_free dup asmalloc, memleak
++@c       re_node_set_init_copy dup asmalloc, memleak
++@c       re_node_set_init_empty dup ok
++@c       expand_bkref_cache asmalloc, memleak
++@c        search_cur_bkref_entry dup ok
++@c        re_node_set_contains dup ok
++@c        re_node_set_init_1 dup asmalloc, memleak
++@c        check_arrival_expand_ecl dup asmalloc, memleak
++@c        re_node_set_merge dup asmalloc, memleak
++@c        re_node_set_init_copy dup asmalloc, memleak
++@c        re_node_set_insert dup asmalloc, memleak
++@c        re_node_set_free dup asmalloc, memleak
++@c        re_acquire_state asmalloc, memleak
++@c         calc_state_hash dup ok
++@c         re_node_set_compare dup ok
++@c         create_ci_newstate asmalloc, memleak
++@c          calloc dup asmalloc, memleak
++@c          re_node_set_init_copy dup asmalloc, memleak
++@c          (re_)free dup asmalloc, memleak
++@c          register_state dup asmalloc, memleak
++@c          free_state dup asmalloc, memleak
++@c       re_acquire_state_context dup asmalloc, memleak
++@c       re_node_set_merge dup asmalloc, memleak
++@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
++@c        re_node_set_init_empty dup ok
++@c        check_node_accept_bytes (maybe glocale), ***wcscoll
++@c         re_string_byte_at dup ok
++@c         re_string_char_size_at dup ok
++@c         re_string_elem_size_at (maybe glocale)
++@c          _NL_CURRENT_WORD dup ok
++@c          _NL_CURRENT dup ok
++@c          auto findidx dup ok
++@c         _NL_CURRENT_WORD dup ok
++@c         _NL_CURRENT dup ok
++@c         collseq_table_lookup dup ok
++@c         find_collation_sequence_value (maybe glocale)
++@c          _NL_CURRENT_WORD dup ok
++@c          _NL_CURRENT dup ok
++@c         auto findidx dup ok
++@c         wcscoll ***wcscoll
++@c        re_node_set_empty dup ok
++@c        re_node_set_merge dup asmalloc, memleak
++@c        re_node_set_free dup asmalloc, memleak
++@c        re_node_set_insert dup asmalloc, memleak
++@c        re_acquire_state dup asmalloc, memleak
++@c        check_node_accept ok
++@c         re_string_byte_at dup ok
++@c         bitset_contain dup ok
++@c         re_string_context_at dup ok
++@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
++@c      match_ctx_add_entry asmalloc, memleak
++@c       (re_)realloc dup asmalloc, memleak
++@c       (re_)free dup asmalloc, memleak
++@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c     find_subexp_node dup
++@c     calloc dup asmalloc, memleak
++@c     check_arrival dup ***
++@c     match_ctx_add_sublast asmalloc, memleak
++@c      (re_)realloc dup asmalloc, memleak
++@c    re_acquire_state_context dup asmalloc, memleak
++@c    re_node_set_init_union asmalloc, memleak
++@c     (re_)malloc dup asmalloc, memleak
++@c     re_node_set_init_copy dup asmalloc, memleak
++@c     re_node_set_init_empty dup ok
++@c    re_node_set_free dup asmalloc, memleak
++@c    check_subexp_matching_top dup asmalloc, memleak
++@c   check_halt_state_context ok
++@c    re_string_context_at dup ok
++@c    check_halt_node_context ok
++@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
++@c   re_string_eoi dup ok
++@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c   transit_state
++@c    transit_state_mb
++@c     re_string_context_at dup ok
++@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
++@c     check_node_accept_bytes dup
++@c     re_string_cur_idx dup ok
++@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
++@c     re_node_set_init_union dup asmalloc, memleak
++@c     re_acquire_state_context dup asmalloc, memleak
++@c    re_string_fetch_byte dup ok
++@c    re_string_context_at dup ok
++@c    build_trtable asmalloc, memleak
++@c     (re_)malloc dup asmalloc, memleak
++@c     group_nodes_into_DFAstates asmalloc, memleak
++@c      bitset_empty dup ok
++@c      bitset_set dup ok
++@c      bitset_merge dup ok
++@c      bitset_set_all ok
++@c      bitset_clear ok
++@c      bitset_contain dup ok
++@c      bitset_copy ok
++@c      re_node_set_init_copy dup asmalloc, memleak
++@c      re_node_set_insert dup asmalloc, memleak
++@c      re_node_set_init_1 dup asmalloc, memleak
++@c      re_node_set_free dup asmalloc, memleak
++@c     re_node_set_alloc dup asmalloc, memleak
++@c     malloc dup asmalloc, memleak
++@c     free dup asmalloc, memleak
++@c     re_node_set_free dup asmalloc, memleak
++@c     bitset_empty ok
++@c     re_node_set_empty dup ok
++@c     re_node_set_merge dup asmalloc, memleak
++@c     re_acquire_state_context dup asmalloc, memleak
++@c     bitset_merge ok
++@c     calloc dup asmalloc, memleak
++@c     bitset_contain dup ok
++@c   merge_state_with_log
++@c    re_string_cur_idx dup ok
++@c    re_node_set_init_union dup asmalloc, memleak
++@c    re_string_context_at dup ok
++@c    re_node_set_free dup asmalloc, memleak
++@c    check_subexp_matching_top asmalloc, memleak
++@c     match_ctx_add_subtop dup asmalloc, memleak
++@c    transit_state_bkref dup
++@c   find_recover_state
++@c    re_string_cur_idx dup ok
++@c    re_string_skip_bytes dup ok
++@c    merge_state_with_log dup
++@c  check_halt_state_context dup
++@c  prune_impossible_nodes
++@c   (re_)malloc dup asmalloc, memleak
++@c   sift_ctx_init ok
++@c    re_node_set_init_empty dup ok
++@c   sift_states_backward
++@c    re_node_set_init_1 dup asmalloc, memleak
++@c    update_cur_sifted_state asmalloc, memleak
++@c     add_epsilon_src_nodes asmalloc, memleak
++@c      re_acquire_state dup asmalloc, memleak
++@c      re_node_set_alloc dup asmalloc, memleak
++@c      re_node_set_merge dup asmalloc, memleak
++@c      re_node_set_add_intersect asmalloc, memleak
++@c       (re_)realloc dup asmalloc, memleak
++@c     check_subexp_limits asmalloc, memleak
++@c      sub_epsilon_src_nodes asmalloc, memleak
++@c       re_node_set_init_empty dup ok
++@c       re_node_set_contains dup ok
++@c       re_node_set_add_intersect dup asmalloc, memleak
++@c       re_node_set_free dup asmalloc, memleak
++@c       re_node_set_remove_at dup ok
++@c      re_node_set_contains dup ok
++@c     re_acquire_state dup asmalloc, memleak
++@c     sift_states_bkref asmalloc, memleak
++@c      search_cur_bkref_entry dup ok
++@c      check_dst_limits ok
++@c       search_cur_bkref_entry dup ok
++@c       check_dst_limits_calc_pos ok
++@c        check_dst_limits_calc_pos_1 ok
++@c      re_node_set_init_copy dup asmalloc, memleak
++@c      re_node_set_insert dup asmalloc, memleak
++@c      sift_states_backward dup
++@c      merge_state_array dup asmalloc, memleak
++@c      re_node_set_remove ok
++@c       re_node_set_contains dup ok
++@c       re_node_set_remove_at dup ok
++@c      re_node_set_free dup asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c    re_node_set_empty dup ok
++@c    build_sifted_states
++@c     sift_states_iter_mb
++@c      check_node_accept_bytes dup
++@c     check_node_accept dup ok
++@c     check_dst_limits dup ok
++@c     re_node_set_insert dup asmalloc, memleak
++@c   re_node_set_free dup asmalloc, memleak
++@c   check_halt_state_context dup ok
++@c   merge_state_array asmalloc, memleak
++@c    re_node_set_init_union dup asmalloc, memleak
++@c    re_acquire_state dup asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  set_regs asmalloc, memleak
++@c   (re_)malloc dup asmalloc, memleak
++@c   re_node_set_init_empty dup ok
++@c   free_fail_stack_return asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c    (re_)free dup asmalloc, memleak
++@c   update_regs ok
++@c   re_node_set_free dup asmalloc, memleak
++@c   pop_fail_stack asmalloc, memleak
++@c    re_node_set_free dup asmalloc, memleak
++@c    (re_)free dup asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  (re_)free dup asmalloc, memleak
++@c  match_ctx_free asmalloc, memleak
++@c   match_ctx_clean asmalloc, memleak
++@c    (re_)free dup asmalloc, memleak
++@c   (re_)free dup asmalloc, memleak
++@c  re_string_destruct dup asmalloc, memleak
++@c libc_lock_unlock lockleak
+ This function tries to match the compiled regular expression
+ @code{*@var{compiled}} against @var{string}.
+ 
+@@ -1051,6 +1532,9 @@ free the storage it uses by calling @code{regfree}.
+ @comment regex.h
+ @comment POSIX.2
+ @deftypefun void regfree (regex_t *@var{compiled})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
++@c (re_)free dup asmalloc, memleak
++@c free_dfa_content dup asmalloc, memleak
+ Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
+ points to.  This includes various internal fields of the @code{regex_t}
+ structure that aren't documented in this manual.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b37401d04453d34fc6314fdc54606a46e8fb2627

commit b37401d04453d34fc6314fdc54606a46e8fb2627
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 12:19:21 2013 -0300

    Refresh of wip-manual-document-mt-safety-pattern.patch

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 376566e..4b66204 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -736,10 +736,251 @@ expression into it by calling @code{regcomp}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
-@c (re_)malloc
-@c re_compile_internal
-@c re_compile_fastmap
-@c (re_)free
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c All of the issues have to do with memory allocation and multi-byte 
+@c character handling present in the input string, or implied by ranges
+@c or inverted character classes.
+@c (re_)malloc asmalloc, memleak
+@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
+@c    callers that don't zero the buffer)
+@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   (re_)malloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c   _NL_CURRENT ok
+@c   _NL_CURRENT_WORD ok
+@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  libc_lock_init ok
+@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_construct_common ok
+@c   re_string_realloc_buffers asmalloc, memleak
+@c    (re_)realloc dup asmalloc, memleak
+@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    isascii ok
+@c    mbsinit ok
+@c    toupper ok
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    iswlower glocale
+@c    towupper glocale
+@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    (re_)malloc dup asmalloc, memleak
+@c   build_upper_buffer ok (glocale, but optimized)
+@c    islower ok
+@c    toupper ok
+@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_translate_buffer ok
+@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    peek_token ok (maybe glocale)
+@c     re_string_eoi ok
+@c     re_string_peek_byte ok
+@c     re_string_cur_idx ok
+@c     re_string_length ok
+@c     re_string_peek_byte_case ok (maybe glocale)
+@c      re_string_peek_byte dup ok
+@c      re_string_is_single_byte_char ok
+@c      isascii ok
+@c      re_string_peek_byte dup ok
+@c     re_string_wchar_at ok
+@c     re_string_skip_bytes ok
+@c    re_string_skip_bytes dup ok
+@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_token_tree dup asmalloc, memleak
+@c      re_string_eoi dup ok
+@c      re_string_first_byte ok
+@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_tree dup asmalloc, memleak
+@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       postorder() asmalloc, memleak
+@c        free_tree asmalloc, memleak
+@c         free_token dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       _NL_CURRENT dup ok
+@c       _NL_CURRENT_WORD dup ok
+@c       calloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       peek_token_bracket ok
+@c        re_string_eoi dup ok
+@c        re_string_peek_byte dup ok
+@c        re_string_first_byte dup ok
+@c        re_string_cur_idx dup ok
+@c        re_string_length dup ok
+@c        re_string_skip_bytes dup ok
+@c       bitset_set ok
+@c       re_string_skip_bytes ok
+@c       parse_bracket_element ok (maybe glocale)
+@c        re_string_char_size_at ok
+@c        re_string_wchar_at dup ok
+@c        re_string_skip_bytes dup ok
+@c        parse_bracket_symbol ok (maybe glocale)
+@c         re_string_eoi dup ok
+@c         re_string_fetch_byte_case ok (maybe glocale)
+@c          re_string_fetch_byte ok
+@c          re_string_first_byte dup ok
+@c          isascii ok
+@c          re_string_char_size_at dup ok
+@c          re_string_skip_bytes dup ok
+@c         re_string_fetch_byte dup ok
+@c         re_string_peek_byte dup ok
+@c         re_string_skip_bytes dup ok
+@c        peek_token_bracket dup
+@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         collseq_table_lookup ok
+@c         auto seek_collating_symbol_entry dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c        collseq_table_lookup dup ok
+@c       bitset_set dup ok
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_equiv_class (maybe glocale), asmalloc, memleak
+@c        _NL_CURRENT ok
+@c        auto findidx ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       auto build_collating_symbol asmalloc, memleak
+@c        auto seek_collating_symbol_entry ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       build_charclass (maybe glocale), asmalloc, memleak
+@c        (re_)realloc dup asmalloc, memleak
+@c        bitset_set dup ok
+@c        isalnum ok
+@c        iscntrl ok
+@c        isspace ok
+@c        isalpha ok
+@c        isdigit ok
+@c        isprint ok
+@c        isupper ok
+@c        isblank ok
+@c        isgraph ok
+@c        ispunct ok
+@c        isxdigit ok
+@c       bitset_not ok
+@c       bitset_mask ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c      init_word_char (maybe glocale)
+@c       isalnum ok
+@c      build_charclass_op (maybe glocale), asmalloc, memleak
+@c       calloc dup asmalloc, memleak
+@c       build_charclass dup (maybe glocale), asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c       bitset_set dup ok
+@c       bitset_not dup ok
+@c       bitset_mask dup ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_cur_idx dup ok
+@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_set_index ok
+@c       postorder() asmalloc, memleak
+@c        free_tree dup asmalloc, memleak
+@c        mark_opt_subexp ok
+@c       duplicate_tree asmalloc, memleak
+@c        create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c     postorder() asmalloc, memleak
+@c      free_tree dup asmalloc, memleak
+@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    create_tree dup asmalloc, memleak
+@c   create_tree asmalloc, memleak
+@c    create_token_tree asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c  analyze asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   preorder() asmalloc, memleak
+@c    optimize_subexps ok
+@c    calc_next ok
+@c    link_nfa_nodes asmalloc, memleak
+@c     re_node_set_init_1 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_2 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c   postorder() asmalloc, memleak
+@c    lower_subexps asmalloc, memleak
+@c     lower_subexp asmalloc, memleak
+@c      create_tree dup asmalloc, memleak
+@c    calc_first asmalloc, memleak
+@c     re_dfa_add_node asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c      re_node_set_init_empty ok
+@c   calc_eclosure asmalloc, memleak
+@c    calc_eclosure_iter asmalloc, memleak
+@c     re_node_set_alloc asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     duplicate_node_closure asmalloc, memleak
+@c      re_node_set_empty ok
+@c      duplicate_node asmalloc, memleak
+@c       re_dfa_add_node dup asmalloc, memleak
+@c      re_node_set_insert asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c      search_duplicated_node ok
+@c     re_node_set_merge asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c     re_node_set_free asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     re_node_set_insert dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   calc_inveclosure asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c    re_node_set_insert_last asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c  optimize_utf8 ok
+@c  create_initial_state asmalloc, memleak
+@c   re_node_set_init_copy asmalloc, memleak
+@c    (re_)malloc dup asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c   re_node_set_contains ok
+@c   re_node_set_merge dup asmalloc, memleak
+@c   re_acquire_state_context asmalloc, memleak
+@c    calc_state_hash ok
+@c    re_node_set_compare ok
+@c    create_cd_newstate asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c     free_state asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     NOT_SATISFY_PREV_CONSTRAINT ok
+@c     re_node_set_remove_at ok
+@c     register_state asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_insert_last dup asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c  free_workarea_compile asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  free_dfa_content asmalloc, memleak
+@c   free_token asmalloc, memleak
+@c    free_charset asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_set_fastmap ok
+@c    tolower ok
+@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   towlower glocale
+@c   _NL_CURRENT ok
+@c (re_)free asmalloc, memleak
 The function @code{regcomp} ``compiles'' a regular expression into a
 data structure that you can use with @code{regexec} to match against a
 string.  The compiled regular expression format is designed for
@@ -889,6 +1130,246 @@ unless the regular expression contains anchor characters (@samp{^} or
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
+@c libc_lock_lock selfdeadlock, lockleak
+@c re_search_internal
+@c  re_string_allocate asmalloc, memleak
+@c   re_string_construct_common dup ok
+@c   re_string_realloc_buffers dup asmalloc, memleak
+@c  match_ctx_init asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c  re_string_byte_at ok
+@c  re_string_first_byte dup ok
+@c  check_matching
+@c   re_string_cur_idx dup ok
+@c   acquire_init_state_context dup asmalloc, memleak
+@c    re_string_context_at ok
+@c     re_string_byte_at dup ok
+@c     bitset_contain ok
+@c    re_acquire_state_context dup asmalloc, memleak
+@c   check_subexp_matching_top asmalloc, memleak
+@c    match_ctx_add_subtop asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c   transit_state_bkref
+@c    re_string_cur_idx dup ok
+@c    re_string_context_at dup ok
+@c    NOT_SATISFY_NEXT_CONSTRAINT ok
+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c     re_string_get_buffer ok
+@c     search_cur_bkref_entry ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_realloc_buffers dup asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       build_upper_buffer dup ok (glocale, but optimized)
+@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_translate_buffer dup ok
+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c       (re_)realloc dup asmalloc, memleak
+@c       re_string_context_at dup ok
+@c       re_node_set_init_1 dup asmalloc, memleak
+@c       check_arrival_expand_ecl asmalloc, memleak
+@c        re_node_set_alloc dup asmalloc, memleak
+@c        find_subexp_node ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        check_arrival_expand_ecl_sub asmalloc, memleak
+@c         re_node_set_contains dup ok
+@c         re_node_set_insert dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_init_copy dup asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       expand_bkref_cache asmalloc, memleak
+@c        search_cur_bkref_entry dup ok
+@c        re_node_set_contains dup ok
+@c        re_node_set_init_1 dup asmalloc, memleak
+@c        check_arrival_expand_ecl dup asmalloc, memleak
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_init_copy dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_acquire_state asmalloc, memleak
+@c         calc_state_hash dup ok
+@c         re_node_set_compare dup ok
+@c         create_ci_newstate asmalloc, memleak
+@c          calloc dup asmalloc, memleak
+@c          re_node_set_init_copy dup asmalloc, memleak
+@c          (re_)free dup asmalloc, memleak
+@c          register_state dup asmalloc, memleak
+@c          free_state dup asmalloc, memleak
+@c       re_acquire_state_context dup asmalloc, memleak
+@c       re_node_set_merge dup asmalloc, memleak
+@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
+@c        re_node_set_init_empty dup ok
+@c        check_node_accept_bytes (maybe glocale), ***wcscoll
+@c         re_string_byte_at dup ok
+@c         re_string_char_size_at dup ok
+@c         re_string_elem_size_at (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c          auto findidx dup ok
+@c         _NL_CURRENT_WORD dup ok
+@c         _NL_CURRENT dup ok
+@c         collseq_table_lookup dup ok
+@c         find_collation_sequence_value (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c         auto findidx dup ok
+@c         wcscoll ***wcscoll
+@c        re_node_set_empty dup ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_acquire_state dup asmalloc, memleak
+@c        check_node_accept ok
+@c         re_string_byte_at dup ok
+@c         bitset_contain dup ok
+@c         re_string_context_at dup ok
+@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c      match_ctx_add_entry asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     find_subexp_node dup
+@c     calloc dup asmalloc, memleak
+@c     check_arrival dup ***
+@c     match_ctx_add_sublast asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c    re_acquire_state_context dup asmalloc, memleak
+@c    re_node_set_init_union asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     re_node_set_init_empty dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top dup asmalloc, memleak
+@c   check_halt_state_context ok
+@c    re_string_context_at dup ok
+@c    check_halt_node_context ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c   re_string_eoi dup ok
+@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   transit_state
+@c    transit_state_mb
+@c     re_string_context_at dup ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c     check_node_accept_bytes dup
+@c     re_string_cur_idx dup ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_node_set_init_union dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c    re_string_fetch_byte dup ok
+@c    re_string_context_at dup ok
+@c    build_trtable asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     group_nodes_into_DFAstates asmalloc, memleak
+@c      bitset_empty dup ok
+@c      bitset_set dup ok
+@c      bitset_merge dup ok
+@c      bitset_set_all ok
+@c      bitset_clear ok
+@c      bitset_contain dup ok
+@c      bitset_copy ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      re_node_set_init_1 dup asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c     re_node_set_alloc dup asmalloc, memleak
+@c     malloc dup asmalloc, memleak
+@c     free dup asmalloc, memleak
+@c     re_node_set_free dup asmalloc, memleak
+@c     bitset_empty ok
+@c     re_node_set_empty dup ok
+@c     re_node_set_merge dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c     bitset_merge ok
+@c     calloc dup asmalloc, memleak
+@c     bitset_contain dup ok
+@c   merge_state_with_log
+@c    re_string_cur_idx dup ok
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_string_context_at dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top asmalloc, memleak
+@c     match_ctx_add_subtop dup asmalloc, memleak
+@c    transit_state_bkref dup
+@c   find_recover_state
+@c    re_string_cur_idx dup ok
+@c    re_string_skip_bytes dup ok
+@c    merge_state_with_log dup
+@c  check_halt_state_context dup
+@c  prune_impossible_nodes
+@c   (re_)malloc dup asmalloc, memleak
+@c   sift_ctx_init ok
+@c    re_node_set_init_empty dup ok
+@c   sift_states_backward
+@c    re_node_set_init_1 dup asmalloc, memleak
+@c    update_cur_sifted_state asmalloc, memleak
+@c     add_epsilon_src_nodes asmalloc, memleak
+@c      re_acquire_state dup asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_merge dup asmalloc, memleak
+@c      re_node_set_add_intersect asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c     check_subexp_limits asmalloc, memleak
+@c      sub_epsilon_src_nodes asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_add_intersect dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_contains dup ok
+@c     re_acquire_state dup asmalloc, memleak
+@c     sift_states_bkref asmalloc, memleak
+@c      search_cur_bkref_entry dup ok
+@c      check_dst_limits ok
+@c       search_cur_bkref_entry dup ok
+@c       check_dst_limits_calc_pos ok
+@c        check_dst_limits_calc_pos_1 ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      sift_states_backward dup
+@c      merge_state_array dup asmalloc, memleak
+@c      re_node_set_remove ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_free dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    re_node_set_empty dup ok
+@c    build_sifted_states
+@c     sift_states_iter_mb
+@c      check_node_accept_bytes dup
+@c     check_node_accept dup ok
+@c     check_dst_limits dup ok
+@c     re_node_set_insert dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c   check_halt_state_context dup ok
+@c   merge_state_array asmalloc, memleak
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_acquire_state dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  set_regs asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   re_node_set_init_empty dup ok
+@c   free_fail_stack_return asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   update_regs ok
+@c   re_node_set_free dup asmalloc, memleak
+@c   pop_fail_stack asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  (re_)free dup asmalloc, memleak
+@c  match_ctx_free asmalloc, memleak
+@c   match_ctx_clean asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct dup asmalloc, memleak
+@c libc_lock_unlock lockleak
 This function tries to match the compiled regular expression
 @code{*@var{compiled}} against @var{string}.
 
@@ -1051,6 +1532,9 @@ free the storage it uses by calling @code{regfree}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun void regfree (regex_t *@var{compiled})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c (re_)free dup asmalloc, memleak
+@c free_dfa_content dup asmalloc, memleak
 Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
 points to.  This includes various internal fields of the @code{regex_t}
 structure that aren't documented in this manual.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ac662fe6d252a3d5739fc99789ddeb4816704ba0

commit ac662fe6d252a3d5739fc99789ddeb4816704ba0
Merge: 650f9c3 e8af539 5798235
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:03:10 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=650f9c331687fb4ba420e98aba978b4a07410553

commit 650f9c331687fb4ba420e98aba978b4a07410553
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:03:10 2013 -0300

    refresh

diff --git a/meta b/meta
index 233a9ac..45dcd5d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 340235a641ecd6a7e87b1643cda5ff428fa4eba4
-Head: f70b5df15d5f8b162769b4197772032c9aa97294
+Previous: 57982356a25c9317f2b934db8d7b81e8d9ac02da
+Head: e8af539713392c27e540158b90c5c8c57a34dde0
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -29,7 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
   wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
   wip-manual-document-mt-safety-locale.patch: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
-  wip-manual-document-mt-safety-pattern.patch: fd02b804ae016376ee8a4fcc8e077b5c7528d172
-  refresh-temp: f70b5df15d5f8b162769b4197772032c9aa97294
+  wip-manual-document-mt-safety-pattern.patch: e8af539713392c27e540158b90c5c8c57a34dde0
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index d901418..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,24 +0,0 @@
-Bottom: 15a8300141ee19f4516dae06220c3f742c3d7c85
-Top:    43752d35196008e73c5b6234ceb965ba6b80c8ef
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 03:03:09 -0300
-
-Refresh of wip-manual-document-mt-safety-pattern.patch
-
----
-
-diff --git a/manual/pattern.texi b/manual/pattern.texi
-index 1966f3f..376566e 100644
---- a/manual/pattern.texi
-+++ b/manual/pattern.texi
-@@ -736,6 +736,10 @@ expression into it by calling @code{regcomp}.
- @comment regex.h
- @comment POSIX.2
- @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
-+@c (re_)malloc
-+@c re_compile_internal
-+@c re_compile_fastmap
-+@c (re_)free
- The function @code{regcomp} ``compiles'' a regular expression into a
- data structure that you can use with @code{regexec} to match against a
- string.  The compiled regular expression format is designed for
diff --git a/patches/wip-manual-document-mt-safety-pattern.patch b/patches/wip-manual-document-mt-safety-pattern.patch
index 797949e..86b5d47 100644
--- a/patches/wip-manual-document-mt-safety-pattern.patch
+++ b/patches/wip-manual-document-mt-safety-pattern.patch
@@ -1,5 +1,5 @@
 Bottom: 15a8300141ee19f4516dae06220c3f742c3d7c85
-Top:    15a8300141ee19f4516dae06220c3f742c3d7c85
+Top:    43752d35196008e73c5b6234ceb965ba6b80c8ef
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 03:02:58 -0300
 
@@ -12,4 +12,18 @@ for ChangeLog
 
 ---
 
-
+diff --git a/manual/pattern.texi b/manual/pattern.texi
+index 1966f3f..376566e 100644
+--- a/manual/pattern.texi
++++ b/manual/pattern.texi
+@@ -736,6 +736,10 @@ expression into it by calling @code{regcomp}.
+ @comment regex.h
+ @comment POSIX.2
+ @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
++@c (re_)malloc
++@c re_compile_internal
++@c re_compile_fastmap
++@c (re_)free
+ The function @code{regcomp} ``compiles'' a regular expression into a
+ data structure that you can use with @code{regexec} to match against a
+ string.  The compiled regular expression format is designed for

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=57982356a25c9317f2b934db8d7b81e8d9ac02da

commit 57982356a25c9317f2b934db8d7b81e8d9ac02da
Merge: afc1aa5 f70b5df 340235a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:03:10 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=afc1aa56260860ab23c376dc04b9b9902a91a276

commit afc1aa56260860ab23c376dc04b9b9902a91a276
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:03:10 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 32ab2f0..233a9ac 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 367167abc3fb6ec6e1a4102842004e3da003c1c6
-Head: fd02b804ae016376ee8a4fcc8e077b5c7528d172
+Previous: 340235a641ecd6a7e87b1643cda5ff428fa4eba4
+Head: f70b5df15d5f8b162769b4197772032c9aa97294
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -30,5 +30,6 @@ Applied:
   wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
   wip-manual-document-mt-safety-locale.patch: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
   wip-manual-document-mt-safety-pattern.patch: fd02b804ae016376ee8a4fcc8e077b5c7528d172
+  refresh-temp: f70b5df15d5f8b162769b4197772032c9aa97294
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..d901418
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,24 @@
+Bottom: 15a8300141ee19f4516dae06220c3f742c3d7c85
+Top:    43752d35196008e73c5b6234ceb965ba6b80c8ef
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 03:03:09 -0300
+
+Refresh of wip-manual-document-mt-safety-pattern.patch
+
+---
+
+diff --git a/manual/pattern.texi b/manual/pattern.texi
+index 1966f3f..376566e 100644
+--- a/manual/pattern.texi
++++ b/manual/pattern.texi
+@@ -736,6 +736,10 @@ expression into it by calling @code{regcomp}.
+ @comment regex.h
+ @comment POSIX.2
+ @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
++@c (re_)malloc
++@c re_compile_internal
++@c re_compile_fastmap
++@c (re_)free
+ The function @code{regcomp} ``compiles'' a regular expression into a
+ data structure that you can use with @code{regexec} to match against a
+ string.  The compiled regular expression format is designed for

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f70b5df15d5f8b162769b4197772032c9aa97294

commit f70b5df15d5f8b162769b4197772032c9aa97294
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:03:09 2013 -0300

    Refresh of wip-manual-document-mt-safety-pattern.patch

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 1966f3f..376566e 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -736,6 +736,10 @@ expression into it by calling @code{regcomp}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
+@c (re_)malloc
+@c re_compile_internal
+@c re_compile_fastmap
+@c (re_)free
 The function @code{regcomp} ``compiles'' a regular expression into a
 data structure that you can use with @code{regexec} to match against a
 string.  The compiled regular expression format is designed for

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=286fc6e694c6817dda55cebcdac48f49d58232ff

commit 286fc6e694c6817dda55cebcdac48f49d58232ff
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/pattern.texi: Document thread safety properties.

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 1966f3f..4b66204 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -736,6 +736,251 @@ expression into it by calling @code{regcomp}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c All of the issues have to do with memory allocation and multi-byte 
+@c character handling present in the input string, or implied by ranges
+@c or inverted character classes.
+@c (re_)malloc asmalloc, memleak
+@c re_compile_internal glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  (re_)realloc asmalloc, memleak (asynconsist, incansist, for other
+@c    callers that don't zero the buffer)
+@c  init_dfa glocale, asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   (re_)malloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c   _NL_CURRENT ok
+@c   _NL_CURRENT_WORD ok
+@c   btowc asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  libc_lock_init ok
+@c  re_string_construct glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_construct_common ok
+@c   re_string_realloc_buffers asmalloc, memleak
+@c    (re_)realloc dup asmalloc, memleak
+@c   build_wcs_upper_buffer glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    isascii ok
+@c    mbsinit ok
+@c    toupper ok
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    iswlower glocale
+@c    towupper glocale
+@c    wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    (re_)malloc dup asmalloc, memleak
+@c   build_upper_buffer ok (glocale, but optimized)
+@c    islower ok
+@c    toupper ok
+@c   build_wcs_buffer asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_string_translate_buffer ok
+@c  parse (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   fetch_token (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    peek_token ok (maybe glocale)
+@c     re_string_eoi ok
+@c     re_string_peek_byte ok
+@c     re_string_cur_idx ok
+@c     re_string_length ok
+@c     re_string_peek_byte_case ok (maybe glocale)
+@c      re_string_peek_byte dup ok
+@c      re_string_is_single_byte_char ok
+@c      isascii ok
+@c      re_string_peek_byte dup ok
+@c     re_string_wchar_at ok
+@c     re_string_skip_bytes ok
+@c    re_string_skip_bytes dup ok
+@c   parse_reg_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     parse_expression (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_token_tree dup asmalloc, memleak
+@c      re_string_eoi dup ok
+@c      re_string_first_byte ok
+@c      fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      create_tree dup asmalloc, memleak
+@c      parse_sub_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       parse_reg_exp dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       postorder() asmalloc, memleak
+@c        free_tree asmalloc, memleak
+@c         free_token dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_bracket_exp (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       _NL_CURRENT dup ok
+@c       _NL_CURRENT_WORD dup ok
+@c       calloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       peek_token_bracket ok
+@c        re_string_eoi dup ok
+@c        re_string_peek_byte dup ok
+@c        re_string_first_byte dup ok
+@c        re_string_cur_idx dup ok
+@c        re_string_length dup ok
+@c        re_string_skip_bytes dup ok
+@c       bitset_set ok
+@c       re_string_skip_bytes ok
+@c       parse_bracket_element ok (maybe glocale)
+@c        re_string_char_size_at ok
+@c        re_string_wchar_at dup ok
+@c        re_string_skip_bytes dup ok
+@c        parse_bracket_symbol ok (maybe glocale)
+@c         re_string_eoi dup ok
+@c         re_string_fetch_byte_case ok (maybe glocale)
+@c          re_string_fetch_byte ok
+@c          re_string_first_byte dup ok
+@c          isascii ok
+@c          re_string_char_size_at dup ok
+@c          re_string_skip_bytes dup ok
+@c         re_string_fetch_byte dup ok
+@c         re_string_peek_byte dup ok
+@c         re_string_skip_bytes dup ok
+@c        peek_token_bracket dup
+@c       auto build_range_exp asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        auto lookup_collation_sequence_value asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         btowc dup asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c         collseq_table_lookup ok
+@c         auto seek_collating_symbol_entry dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c        collseq_table_lookup dup ok
+@c       bitset_set dup ok
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_equiv_class (maybe glocale), asmalloc, memleak
+@c        _NL_CURRENT ok
+@c        auto findidx ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       auto build_collating_symbol asmalloc, memleak
+@c        auto seek_collating_symbol_entry ok
+@c        bitset_set dup ok
+@c        (re_)realloc dup asmalloc, memleak
+@c       build_charclass (maybe glocale), asmalloc, memleak
+@c        (re_)realloc dup asmalloc, memleak
+@c        bitset_set dup ok
+@c        isalnum ok
+@c        iscntrl ok
+@c        isspace ok
+@c        isalpha ok
+@c        isdigit ok
+@c        isprint ok
+@c        isupper ok
+@c        isblank ok
+@c        isgraph ok
+@c        ispunct ok
+@c        isxdigit ok
+@c       bitset_not ok
+@c       bitset_mask ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c      init_word_char (maybe glocale)
+@c       isalnum ok
+@c      build_charclass_op (maybe glocale), asmalloc, memleak
+@c       calloc dup asmalloc, memleak
+@c       build_charclass dup (maybe glocale), asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c       free_charset dup asmalloc, memleak
+@c       bitset_set dup ok
+@c       bitset_not dup ok
+@c       bitset_mask dup ok
+@c       create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c      parse_dup_op (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_cur_idx dup ok
+@c       fetch_number ok (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c        fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_set_index ok
+@c       postorder() asmalloc, memleak
+@c        free_tree dup asmalloc, memleak
+@c        mark_opt_subexp ok
+@c       duplicate_tree asmalloc, memleak
+@c        create_token_tree dup asmalloc, memleak
+@c       create_tree dup asmalloc, memleak
+@c     postorder() asmalloc, memleak
+@c      free_tree dup asmalloc, memleak
+@c    fetch_token dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    parse_branch dup (maybe glocale), asynconsist, asmalloc, sefldeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c    create_tree dup asmalloc, memleak
+@c   create_tree asmalloc, memleak
+@c    create_token_tree asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c  analyze asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   preorder() asmalloc, memleak
+@c    optimize_subexps ok
+@c    calc_next ok
+@c    link_nfa_nodes asmalloc, memleak
+@c     re_node_set_init_1 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_2 asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c   postorder() asmalloc, memleak
+@c    lower_subexps asmalloc, memleak
+@c     lower_subexp asmalloc, memleak
+@c      create_tree dup asmalloc, memleak
+@c    calc_first asmalloc, memleak
+@c     re_dfa_add_node asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c      re_node_set_init_empty ok
+@c   calc_eclosure asmalloc, memleak
+@c    calc_eclosure_iter asmalloc, memleak
+@c     re_node_set_alloc asmalloc, memleak
+@c      (re_)malloc dup asmalloc, memleak
+@c     duplicate_node_closure asmalloc, memleak
+@c      re_node_set_empty ok
+@c      duplicate_node asmalloc, memleak
+@c       re_dfa_add_node dup asmalloc, memleak
+@c      re_node_set_insert asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c      search_duplicated_node ok
+@c     re_node_set_merge asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c     re_node_set_free asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     re_node_set_insert dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   calc_inveclosure asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c    re_node_set_insert_last asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c  optimize_utf8 ok
+@c  create_initial_state asmalloc, memleak
+@c   re_node_set_init_copy asmalloc, memleak
+@c    (re_)malloc dup asmalloc, memleak
+@c    re_node_set_init_empty dup ok
+@c   re_node_set_contains ok
+@c   re_node_set_merge dup asmalloc, memleak
+@c   re_acquire_state_context asmalloc, memleak
+@c    calc_state_hash ok
+@c    re_node_set_compare ok
+@c    create_cd_newstate asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c     free_state asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c      (re_)free dup asmalloc, memleak
+@c     NOT_SATISFY_PREV_CONSTRAINT ok
+@c     re_node_set_remove_at ok
+@c     register_state asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_insert_last dup asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c  free_workarea_compile asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  free_dfa_content asmalloc, memleak
+@c   free_token asmalloc, memleak
+@c    free_charset asmalloc, memleak
+@c     (re_)free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c re_compile_fastmap glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c  re_compile_fastmap_iter glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   re_set_fastmap ok
+@c    tolower ok
+@c   mbrtowc dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   wcrtomb dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   towlower glocale
+@c   _NL_CURRENT ok
+@c (re_)free asmalloc, memleak
 The function @code{regcomp} ``compiles'' a regular expression into a
 data structure that you can use with @code{regexec} to match against a
 string.  The compiled regular expression format is designed for
@@ -885,6 +1130,246 @@ unless the regular expression contains anchor characters (@samp{^} or
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regexec (const regex_t *restrict @var{compiled}, const char *restrict @var{string}, size_t @var{nmatch}, regmatch_t @var{matchptr}[restrict], int @var{eflags})
+@c libc_lock_lock selfdeadlock, lockleak
+@c re_search_internal
+@c  re_string_allocate asmalloc, memleak
+@c   re_string_construct_common dup ok
+@c   re_string_realloc_buffers dup asmalloc, memleak
+@c  match_ctx_init asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c  re_string_byte_at ok
+@c  re_string_first_byte dup ok
+@c  check_matching
+@c   re_string_cur_idx dup ok
+@c   acquire_init_state_context dup asmalloc, memleak
+@c    re_string_context_at ok
+@c     re_string_byte_at dup ok
+@c     bitset_contain ok
+@c    re_acquire_state_context dup asmalloc, memleak
+@c   check_subexp_matching_top asmalloc, memleak
+@c    match_ctx_add_subtop asmalloc, memleak
+@c     (re_)realloc dup asmalloc, memleak
+@c     calloc dup asmalloc, memleak
+@c   transit_state_bkref
+@c    re_string_cur_idx dup ok
+@c    re_string_context_at dup ok
+@c    NOT_SATISFY_NEXT_CONSTRAINT ok
+@c    get_subexp glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c     re_string_get_buffer ok
+@c     search_cur_bkref_entry ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c      extend_buffers glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_realloc_buffers dup asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       build_wcs_upper_buffer dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       build_upper_buffer dup ok (glocale, but optimized)
+@c       build_wcs_buffer dup asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c       re_string_translate_buffer dup ok
+@c     get_subexp_sub glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c      check_arrival glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak, ***wcscoll
+@c       (re_)realloc dup asmalloc, memleak
+@c       re_string_context_at dup ok
+@c       re_node_set_init_1 dup asmalloc, memleak
+@c       check_arrival_expand_ecl asmalloc, memleak
+@c        re_node_set_alloc dup asmalloc, memleak
+@c        find_subexp_node ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        check_arrival_expand_ecl_sub asmalloc, memleak
+@c         re_node_set_contains dup ok
+@c         re_node_set_insert dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_init_copy dup asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       expand_bkref_cache asmalloc, memleak
+@c        search_cur_bkref_entry dup ok
+@c        re_node_set_contains dup ok
+@c        re_node_set_init_1 dup asmalloc, memleak
+@c        check_arrival_expand_ecl dup asmalloc, memleak
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_init_copy dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_acquire_state asmalloc, memleak
+@c         calc_state_hash dup ok
+@c         re_node_set_compare dup ok
+@c         create_ci_newstate asmalloc, memleak
+@c          calloc dup asmalloc, memleak
+@c          re_node_set_init_copy dup asmalloc, memleak
+@c          (re_)free dup asmalloc, memleak
+@c          register_state dup asmalloc, memleak
+@c          free_state dup asmalloc, memleak
+@c       re_acquire_state_context dup asmalloc, memleak
+@c       re_node_set_merge dup asmalloc, memleak
+@c       check_arrival_add_next_nodes (maybe glocale), asmalloc, memleak, ***wcscoll
+@c        re_node_set_init_empty dup ok
+@c        check_node_accept_bytes (maybe glocale), ***wcscoll
+@c         re_string_byte_at dup ok
+@c         re_string_char_size_at dup ok
+@c         re_string_elem_size_at (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c          auto findidx dup ok
+@c         _NL_CURRENT_WORD dup ok
+@c         _NL_CURRENT dup ok
+@c         collseq_table_lookup dup ok
+@c         find_collation_sequence_value (maybe glocale)
+@c          _NL_CURRENT_WORD dup ok
+@c          _NL_CURRENT dup ok
+@c         auto findidx dup ok
+@c         wcscoll ***wcscoll
+@c        re_node_set_empty dup ok
+@c        re_node_set_merge dup asmalloc, memleak
+@c        re_node_set_free dup asmalloc, memleak
+@c        re_node_set_insert dup asmalloc, memleak
+@c        re_acquire_state dup asmalloc, memleak
+@c        check_node_accept ok
+@c         re_string_byte_at dup ok
+@c         bitset_contain dup ok
+@c         re_string_context_at dup ok
+@c         NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c      match_ctx_add_entry asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c       (re_)free dup asmalloc, memleak
+@c      clean_state_log_if_needed dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     find_subexp_node dup
+@c     calloc dup asmalloc, memleak
+@c     check_arrival dup ***
+@c     match_ctx_add_sublast asmalloc, memleak
+@c      (re_)realloc dup asmalloc, memleak
+@c    re_acquire_state_context dup asmalloc, memleak
+@c    re_node_set_init_union asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     re_node_set_init_copy dup asmalloc, memleak
+@c     re_node_set_init_empty dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top dup asmalloc, memleak
+@c   check_halt_state_context ok
+@c    re_string_context_at dup ok
+@c    check_halt_node_context ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c   re_string_eoi dup ok
+@c   extend_buffers dup glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c   transit_state
+@c    transit_state_mb
+@c     re_string_context_at dup ok
+@c     NOT_SATISFY_NEXT_CONSTRAINT dup ok
+@c     check_node_accept_bytes dup
+@c     re_string_cur_idx dup ok
+@c     clean_state_log_if_needed glocale, asynconsist, asmalloc, selfdeadlock, shlimb, incansist, lockleak, memleak, fdleak
+@c     re_node_set_init_union dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c    re_string_fetch_byte dup ok
+@c    re_string_context_at dup ok
+@c    build_trtable asmalloc, memleak
+@c     (re_)malloc dup asmalloc, memleak
+@c     group_nodes_into_DFAstates asmalloc, memleak
+@c      bitset_empty dup ok
+@c      bitset_set dup ok
+@c      bitset_merge dup ok
+@c      bitset_set_all ok
+@c      bitset_clear ok
+@c      bitset_contain dup ok
+@c      bitset_copy ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      re_node_set_init_1 dup asmalloc, memleak
+@c      re_node_set_free dup asmalloc, memleak
+@c     re_node_set_alloc dup asmalloc, memleak
+@c     malloc dup asmalloc, memleak
+@c     free dup asmalloc, memleak
+@c     re_node_set_free dup asmalloc, memleak
+@c     bitset_empty ok
+@c     re_node_set_empty dup ok
+@c     re_node_set_merge dup asmalloc, memleak
+@c     re_acquire_state_context dup asmalloc, memleak
+@c     bitset_merge ok
+@c     calloc dup asmalloc, memleak
+@c     bitset_contain dup ok
+@c   merge_state_with_log
+@c    re_string_cur_idx dup ok
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_string_context_at dup ok
+@c    re_node_set_free dup asmalloc, memleak
+@c    check_subexp_matching_top asmalloc, memleak
+@c     match_ctx_add_subtop dup asmalloc, memleak
+@c    transit_state_bkref dup
+@c   find_recover_state
+@c    re_string_cur_idx dup ok
+@c    re_string_skip_bytes dup ok
+@c    merge_state_with_log dup
+@c  check_halt_state_context dup
+@c  prune_impossible_nodes
+@c   (re_)malloc dup asmalloc, memleak
+@c   sift_ctx_init ok
+@c    re_node_set_init_empty dup ok
+@c   sift_states_backward
+@c    re_node_set_init_1 dup asmalloc, memleak
+@c    update_cur_sifted_state asmalloc, memleak
+@c     add_epsilon_src_nodes asmalloc, memleak
+@c      re_acquire_state dup asmalloc, memleak
+@c      re_node_set_alloc dup asmalloc, memleak
+@c      re_node_set_merge dup asmalloc, memleak
+@c      re_node_set_add_intersect asmalloc, memleak
+@c       (re_)realloc dup asmalloc, memleak
+@c     check_subexp_limits asmalloc, memleak
+@c      sub_epsilon_src_nodes asmalloc, memleak
+@c       re_node_set_init_empty dup ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_add_intersect dup asmalloc, memleak
+@c       re_node_set_free dup asmalloc, memleak
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_contains dup ok
+@c     re_acquire_state dup asmalloc, memleak
+@c     sift_states_bkref asmalloc, memleak
+@c      search_cur_bkref_entry dup ok
+@c      check_dst_limits ok
+@c       search_cur_bkref_entry dup ok
+@c       check_dst_limits_calc_pos ok
+@c        check_dst_limits_calc_pos_1 ok
+@c      re_node_set_init_copy dup asmalloc, memleak
+@c      re_node_set_insert dup asmalloc, memleak
+@c      sift_states_backward dup
+@c      merge_state_array dup asmalloc, memleak
+@c      re_node_set_remove ok
+@c       re_node_set_contains dup ok
+@c       re_node_set_remove_at dup ok
+@c      re_node_set_free dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    re_node_set_empty dup ok
+@c    build_sifted_states
+@c     sift_states_iter_mb
+@c      check_node_accept_bytes dup
+@c     check_node_accept dup ok
+@c     check_dst_limits dup ok
+@c     re_node_set_insert dup asmalloc, memleak
+@c   re_node_set_free dup asmalloc, memleak
+@c   check_halt_state_context dup ok
+@c   merge_state_array asmalloc, memleak
+@c    re_node_set_init_union dup asmalloc, memleak
+@c    re_acquire_state dup asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  set_regs asmalloc, memleak
+@c   (re_)malloc dup asmalloc, memleak
+@c   re_node_set_init_empty dup ok
+@c   free_fail_stack_return asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   update_regs ok
+@c   re_node_set_free dup asmalloc, memleak
+@c   pop_fail_stack asmalloc, memleak
+@c    re_node_set_free dup asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  (re_)free dup asmalloc, memleak
+@c  match_ctx_free asmalloc, memleak
+@c   match_ctx_clean asmalloc, memleak
+@c    (re_)free dup asmalloc, memleak
+@c   (re_)free dup asmalloc, memleak
+@c  re_string_destruct dup asmalloc, memleak
+@c libc_lock_unlock lockleak
 This function tries to match the compiled regular expression
 @code{*@var{compiled}} against @var{string}.
 
@@ -1047,6 +1532,9 @@ free the storage it uses by calling @code{regfree}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun void regfree (regex_t *@var{compiled})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c (re_)free dup asmalloc, memleak
+@c free_dfa_content dup asmalloc, memleak
 Calling @code{regfree} frees all the storage that @code{*@var{compiled}}
 points to.  This includes various internal fields of the @code{regex_t}
 structure that aren't documented in this manual.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e8af539713392c27e540158b90c5c8c57a34dde0

commit e8af539713392c27e540158b90c5c8c57a34dde0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/pattern.texi: Document thread safety properties.

diff --git a/manual/pattern.texi b/manual/pattern.texi
index 1966f3f..376566e 100644
--- a/manual/pattern.texi
+++ b/manual/pattern.texi
@@ -736,6 +736,10 @@ expression into it by calling @code{regcomp}.
 @comment regex.h
 @comment POSIX.2
 @deftypefun int regcomp (regex_t *restrict @var{compiled}, const char *restrict @var{pattern}, int @var{cflags})
+@c (re_)malloc
+@c re_compile_internal
+@c re_compile_fastmap
+@c (re_)free
 The function @code{regcomp} ``compiles'' a regular expression into a
 data structure that you can use with @code{regexec} to match against a
 string.  The compiled regular expression format is designed for

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=340235a641ecd6a7e87b1643cda5ff428fa4eba4

commit 340235a641ecd6a7e87b1643cda5ff428fa4eba4
Merge: 976ed53 367167a fd02b80
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    new


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=976ed5335ad934eba1936ef552ead98a9e1dead1

commit 976ed5335ad934eba1936ef552ead98a9e1dead1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    new

diff --git a/meta b/meta
index d749556..32ab2f0 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 5c8f728e217b3cc071402ce31689d0cc3ddbbe4f
-Head: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
+Previous: 367167abc3fb6ec6e1a4102842004e3da003c1c6
+Head: fd02b804ae016376ee8a4fcc8e077b5c7528d172
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
   wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
   wip-manual-document-mt-safety-locale.patch: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
+  wip-manual-document-mt-safety-pattern.patch: fd02b804ae016376ee8a4fcc8e077b5c7528d172
 Unapplied:
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-pattern.patch b/patches/wip-manual-document-mt-safety-pattern.patch
new file mode 100644
index 0000000..797949e
--- /dev/null
+++ b/patches/wip-manual-document-mt-safety-pattern.patch
@@ -0,0 +1,15 @@
+Bottom: 15a8300141ee19f4516dae06220c3f742c3d7c85
+Top:    15a8300141ee19f4516dae06220c3f742c3d7c85
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 03:02:58 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/pattern.texi: Document thread safety properties.
+
+
+---
+
+

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fd02b804ae016376ee8a4fcc8e077b5c7528d172

commit fd02b804ae016376ee8a4fcc8e077b5c7528d172
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:02:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/pattern.texi: Document thread safety properties.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=367167abc3fb6ec6e1a4102842004e3da003c1c6

commit 367167abc3fb6ec6e1a4102842004e3da003c1c6
Merge: 993c633 c6a9551 5c8f728
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:01:38 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=993c6338b7c2cf96413a59818cc8df09d97fb594

commit 993c6338b7c2cf96413a59818cc8df09d97fb594
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:01:38 2013 -0300

    refresh

diff --git a/meta b/meta
index 77dc5e6..d749556 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 3b4ccc92fd1387e7de7cd9b502c03f9b259d746b
-Head: 36c2f5c7a687deea27b8092521704a0e9be8f7c9
+Previous: 5c8f728e217b3cc071402ce31689d0cc3ddbbe4f
+Head: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -28,7 +28,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 178585271fec5719c46b62c1a25f19cd9fd28655
   wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
   wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
-  wip-manual-document-mt-safety-locale.patch: 992d05a094081cd47e58dcff300c4f202ac03eb2
-  refresh-temp: 36c2f5c7a687deea27b8092521704a0e9be8f7c9
+  wip-manual-document-mt-safety-locale.patch: c6a95510e695760a3ff9c03a7a1a6a95d2f74573
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 70b8aa5..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,32 +0,0 @@
-Bottom: 2507e36324acba020ee2ab328f3315c7d3885c46
-Top:    15a8300141ee19f4516dae06220c3f742c3d7c85
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 03:01:37 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index dac8f2e..11c9dc7 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -817,7 +817,8 @@ was introduced.
- @deftypefun {char *} nl_langinfo (nl_item @var{item})
- @safety{@mtsafe{}@assafe{}@acsafe{}}
- @c It calls _nl_langinfo_l with the current locale, which returns a
--@c pointer into constant strings defined in locale data structures.
-+@c pointer into constant strings defined in locale data structures.  It
-+@c doesn't run afoul of glocale itself, but callers may.
- The @code{nl_langinfo} function can be used to access individual
- elements of the locale categories.  Unlike the @code{localeconv}
- function, which returns all the information, @code{nl_langinfo}
-@@ -1328,6 +1329,8 @@ access to the corresponding locale definitions.
- @comment GNU
- @comment stdlib.h
- @deftypefun int rpmatch (const char *@var{response})
-+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
-+@c regfree, regcomp and regexec.
- The function @code{rpmatch} checks the string in @var{response} whether
- or not it is a correct yes-or-no answer and if yes, which one.  The
- check uses the @code{YESEXPR} and @code{NOEXPR} data in the
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index f25fda7..6e6dca0 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: 344a5475cfbcc32876fb401e993b1a6146c02663
-Top:    2507e36324acba020ee2ab328f3315c7d3885c46
+Top:    15a8300141ee19f4516dae06220c3f742c3d7c85
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:01 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..dac8f2e 100644
+index 2f10fcd..11c9dc7 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
 @@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
@@ -165,17 +165,18 @@ index 2f10fcd..dac8f2e 100644
  The @code{localeconv} function returns a pointer to a structure whose
  components contain information about how numeric and monetary values
  should be formatted in the current locale.
-@@ -680,6 +815,9 @@ was introduced.
+@@ -680,6 +815,10 @@ was introduced.
  @comment langinfo.h
  @comment XOPEN
  @deftypefun {char *} nl_langinfo (nl_item @var{item})
 +@safety{@mtsafe{}@assafe{}@acsafe{}}
 +@c It calls _nl_langinfo_l with the current locale, which returns a
-+@c pointer into constant strings defined in locale data structures.
++@c pointer into constant strings defined in locale data structures.  It
++@c doesn't run afoul of glocale itself, but callers may.
  The @code{nl_langinfo} function can be used to access individual
  elements of the locale categories.  Unlike the @code{localeconv}
  function, which returns all the information, @code{nl_langinfo}
-@@ -974,6 +1112,11 @@ locale information, making it easier for the user to format
+@@ -974,6 +1113,11 @@ locale information, making it easier for the user to format
  numbers according to these rules.
  
  @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
@@ -187,3 +188,12 @@ index 2f10fcd..dac8f2e 100644
  The @code{strfmon} function is similar to the @code{strftime} function
  in that it takes a buffer, its size, a format string,
  and values to write into the buffer as text in a form specified
+@@ -1185,6 +1329,8 @@ access to the corresponding locale definitions.
+ @comment GNU
+ @comment stdlib.h
+ @deftypefun int rpmatch (const char *@var{response})
++@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
++@c regfree, regcomp and regexec.
+ The function @code{rpmatch} checks the string in @var{response} whether
+ or not it is a correct yes-or-no answer and if yes, which one.  The
+ check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5c8f728e217b3cc071402ce31689d0cc3ddbbe4f

commit 5c8f728e217b3cc071402ce31689d0cc3ddbbe4f
Merge: 2be76d1 36c2f5c 3b4ccc9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:01:37 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2be76d1181f20143cd008c63243aace6494dc0ea

commit 2be76d1181f20143cd008c63243aace6494dc0ea
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:01:37 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 56c1d55..77dc5e6 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 72821a94665b158372ee6c34fd6bbb938aeef580
-Head: 992d05a094081cd47e58dcff300c4f202ac03eb2
+Previous: 3b4ccc92fd1387e7de7cd9b502c03f9b259d746b
+Head: 36c2f5c7a687deea27b8092521704a0e9be8f7c9
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
   wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
   wip-manual-document-mt-safety-locale.patch: 992d05a094081cd47e58dcff300c4f202ac03eb2
+  refresh-temp: 36c2f5c7a687deea27b8092521704a0e9be8f7c9
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..70b8aa5
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,32 @@
+Bottom: 2507e36324acba020ee2ab328f3315c7d3885c46
+Top:    15a8300141ee19f4516dae06220c3f742c3d7c85
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 03:01:37 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index dac8f2e..11c9dc7 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -817,7 +817,8 @@ was introduced.
+ @deftypefun {char *} nl_langinfo (nl_item @var{item})
+ @safety{@mtsafe{}@assafe{}@acsafe{}}
+ @c It calls _nl_langinfo_l with the current locale, which returns a
+-@c pointer into constant strings defined in locale data structures.
++@c pointer into constant strings defined in locale data structures.  It
++@c doesn't run afoul of glocale itself, but callers may.
+ The @code{nl_langinfo} function can be used to access individual
+ elements of the locale categories.  Unlike the @code{localeconv}
+ function, which returns all the information, @code{nl_langinfo}
+@@ -1328,6 +1329,8 @@ access to the corresponding locale definitions.
+ @comment GNU
+ @comment stdlib.h
+ @deftypefun int rpmatch (const char *@var{response})
++@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
++@c regfree, regcomp and regexec.
+ The function @code{rpmatch} checks the string in @var{response} whether
+ or not it is a correct yes-or-no answer and if yes, which one.  The
+ check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=36c2f5c7a687deea27b8092521704a0e9be8f7c9

commit 36c2f5c7a687deea27b8092521704a0e9be8f7c9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 03:01:37 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index dac8f2e..11c9dc7 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -817,7 +817,8 @@ was introduced.
 @deftypefun {char *} nl_langinfo (nl_item @var{item})
 @safety{@mtsafe{}@assafe{}@acsafe{}}
 @c It calls _nl_langinfo_l with the current locale, which returns a
-@c pointer into constant strings defined in locale data structures.
+@c pointer into constant strings defined in locale data structures.  It
+@c doesn't run afoul of glocale itself, but callers may.
 The @code{nl_langinfo} function can be used to access individual
 elements of the locale categories.  Unlike the @code{localeconv}
 function, which returns all the information, @code{nl_langinfo}
@@ -1328,6 +1329,8 @@ access to the corresponding locale definitions.
 @comment GNU
 @comment stdlib.h
 @deftypefun int rpmatch (const char *@var{response})
+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
+@c regfree, regcomp and regexec.
 The function @code{rpmatch} checks the string in @var{response} whether
 or not it is a correct yes-or-no answer and if yes, which one.  The
 check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3b4ccc92fd1387e7de7cd9b502c03f9b259d746b

commit 3b4ccc92fd1387e7de7cd9b502c03f9b259d746b
Merge: 7263281 992d05a 72821a9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:23:41 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7263281551734ca0eb7c9e627e74c1d6ebbd1166

commit 7263281551734ca0eb7c9e627e74c1d6ebbd1166
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:23:41 2013 -0300

    push

diff --git a/meta b/meta
index f35c25f..56c1d55 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 64c553b3957d07dac3e3b7d45ff1b3c90e2bc1ab
-Head: 0666d6743488860ce4130ed89f79bdda045e1559
+Previous: 72821a94665b158372ee6c34fd6bbb938aeef580
+Head: 992d05a094081cd47e58dcff300c4f202ac03eb2
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -21,13 +21,13 @@ Applied:
   manual-document-mt-safety-llio.patch: e500e6b451e90bcfa93b9ebc11eee98ff9948da4
   manual-document-mt-safety-stdio.patch: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
   wip-manual-document-mt-safety-math.patch: 0666d6743488860ce4130ed89f79bdda045e1559
+  wip-manual-document-mt-safety-resource.patch: e1924a257ca4ba889b69af5907ca22f235fac6c9
+  wip-manual-document-mt-safety-startup.patch: 9c28ed5886790c4874d527aa2a775a299263bad5
+  wip-manual-document-mt-safety-search.patch: 6ff8451b08998b4f998ec7de43aee9148d46f3e5
+  wip-manual-document-mt-safety-string.patch: 241e5dd068f11629bd72636268cfb0330d352e02
+  wip-manual-document-mt-safety-terminal.patch: 178585271fec5719c46b62c1a25f19cd9fd28655
+  wip-manual-document-mt-safety-threads.patch: bcc2df98a27754a19ee0747e55f39302dbf3970e
+  wip-manual-document-mt-safety-time.patch: 85e757c54f47a0ada4f7a940c638b2bc7fb01572
+  wip-manual-document-mt-safety-locale.patch: 992d05a094081cd47e58dcff300c4f202ac03eb2
 Unapplied:
-  wip-manual-document-mt-safety-resource.patch: 37096c9f7bf26b43c6b010e9629edea7cb89d1e8
-  wip-manual-document-mt-safety-startup.patch: 51a856392fd604dac2529a05ed2af3b71b37a583
-  wip-manual-document-mt-safety-search.patch: e05d166acc5534804dd2ee0f91e25d85cb546685
-  wip-manual-document-mt-safety-string.patch: 18a4951c9cbf68f51a2dceaeb4cea3036f0ebea0
-  wip-manual-document-mt-safety-terminal.patch: fccffdf69a6e46c63ce9f4e7adc46b97cceb81c7
-  wip-manual-document-mt-safety-threads.patch: cd1c8927299a03be9624e0b1b54e049371da1500
-  wip-manual-document-mt-safety-time.patch: 481d3df53d8c568232578ba58d71ddd6b461b9c6
-  wip-manual-document-mt-safety-locale.patch: a972cbb641150922f5dea32a6f655e40414c86ff
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 040f48b..f25fda7 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: b54fb6025438aaaf6c4da81f60d0bf50a69c2f70
-Top:    e8326e9572adad124fcc425a1b12c12d00136c87
+Bottom: 344a5475cfbcc32876fb401e993b1a6146c02663
+Top:    2507e36324acba020ee2ab328f3315c7d3885c46
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:01 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 282cdf8..50011fd 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 2a4babdd62df27c5861aa15305c7f516dc172d00
-Top:    8454b90778b1ebde46471a8e807c55534059dee4
+Bottom: 96d250ae32036f1399b1ebae76631dbb2b62738d
+Top:    eac45389ac7f46a006c5b0650e399877b77691df
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index ec0a5e5..0ff2c46 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 5c2e4fd6e27fcf98265b31f0b27f64539262961f
-Top:    9bb36bae725f82fa35390671a43725efcd84ec88
+Bottom: b6f83a85b4b377bb75e56263833cab93a55fe8aa
+Top:    974b65fdd740c5be01caf8296db702b20af31f6e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 78a28cb..39696d9 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 8454b90778b1ebde46471a8e807c55534059dee4
-Top:    5c2e4fd6e27fcf98265b31f0b27f64539262961f
+Bottom: eac45389ac7f46a006c5b0650e399877b77691df
+Top:    b6f83a85b4b377bb75e56263833cab93a55fe8aa
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:59 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 8eca966..b6c4a09 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 9bb36bae725f82fa35390671a43725efcd84ec88
-Top:    f2dc9605a7f5fc5e97f7243ee13b18c3e34fe5e3
+Bottom: 974b65fdd740c5be01caf8296db702b20af31f6e
+Top:    4526eb59c2b81d3c38552d73b8bcdcbe825ea516
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index b00c262..2515ce5 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: f2dc9605a7f5fc5e97f7243ee13b18c3e34fe5e3
-Top:    1d8bfc5bb628af156d0866fcd40fe986599d3a7c
+Bottom: 4526eb59c2b81d3c38552d73b8bcdcbe825ea516
+Top:    f01ba8b728460fbc54e782ace50ff470524c4f8c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 33794ed..b39e2e9 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 1d8bfc5bb628af156d0866fcd40fe986599d3a7c
-Top:    5c6fad90032135d6828414f74e8eae1b8bcf1954
+Bottom: f01ba8b728460fbc54e782ace50ff470524c4f8c
+Top:    8247b1a7d1b5c98f69462719f1ee387fea7ccb9a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 877577b..749f456 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 5c6fad90032135d6828414f74e8eae1b8bcf1954
-Top:    b54fb6025438aaaf6c4da81f60d0bf50a69c2f70
+Bottom: 8247b1a7d1b5c98f69462719f1ee387fea7ccb9a
+Top:    344a5475cfbcc32876fb401e993b1a6146c02663
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:00 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=80f55c2d25e3968c30f5846ffabc81dedc50f709

commit 80f55c2d25e3968c30f5846ffabc81dedc50f709
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 2a164a9..b63a849 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,9 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Calls strcoll_l with the current locale, which dereferences only the
+@c LC_COLLATE data pointer.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1351,6 +1361,8 @@ collating sequence of the current locale for collation (the
 @comment wchar.h
 @comment ISO
 @deftypefun int wcscoll (const wchar_t *@var{ws1}, const wchar_t *@var{ws2})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak}}
+@c Same as strcoll, but calling wcscoll_l.
 The @code{wcscoll} function is similar to @code{wcscmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1649,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1691,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2689,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=241e5dd068f11629bd72636268cfb0330d352e02

commit 241e5dd068f11629bd72636268cfb0330d352e02
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 2a164a9..173306c 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1646,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2686,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c6a95510e695760a3ff9c03a7a1a6a95d2f74573

commit c6a95510e695760a3ff9c03a7a1a6a95d2f74573
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:01 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..11c9dc7 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
@@ -414,6 +545,10 @@ according to the selected locale using this information.
 @comment locale.h
 @comment ISO
 @deftypefun {struct lconv *} localeconv (void)
+@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
+@c This function reads from multiple components of the locale object,
+@c without synchronization, while writing to the static buffer it uses
+@c as the return value.
 The @code{localeconv} function returns a pointer to a structure whose
 components contain information about how numeric and monetary values
 should be formatted in the current locale.
@@ -680,6 +815,10 @@ was introduced.
 @comment langinfo.h
 @comment XOPEN
 @deftypefun {char *} nl_langinfo (nl_item @var{item})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c It calls _nl_langinfo_l with the current locale, which returns a
+@c pointer into constant strings defined in locale data structures.  It
+@c doesn't run afoul of glocale itself, but callers may.
 The @code{nl_langinfo} function can be used to access individual
 elements of the locale categories.  Unlike the @code{localeconv}
 function, which returns all the information, @code{nl_langinfo}
@@ -974,6 +1113,11 @@ locale information, making it easier for the user to format
 numbers according to these rules.
 
 @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
+@c locale object passed to it, accesses the active locale through
+@c isdigit (but to_digit assumes ASCII digits only).  It may call
+@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
 The @code{strfmon} function is similar to the @code{strftime} function
 in that it takes a buffer, its size, a format string,
 and values to write into the buffer as text in a form specified
@@ -1185,6 +1329,8 @@ access to the corresponding locale definitions.
 @comment GNU
 @comment stdlib.h
 @deftypefun int rpmatch (const char *@var{response})
+@c Calls nl_langinfo with YESEXPR and NOEXPR, triggering glocale.  Calls
+@c regfree, regcomp and regexec.
 The function @code{rpmatch} checks the string in @var{response} whether
 or not it is a correct yes-or-no answer and if yes, which one.  The
 check uses the @code{YESEXPR} and @code{NOEXPR} data in the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=992d05a094081cd47e58dcff300c4f202ac03eb2

commit 992d05a094081cd47e58dcff300c4f202ac03eb2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:01 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..dac8f2e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
@@ -414,6 +545,10 @@ according to the selected locale using this information.
 @comment locale.h
 @comment ISO
 @deftypefun {struct lconv *} localeconv (void)
+@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
+@c This function reads from multiple components of the locale object,
+@c without synchronization, while writing to the static buffer it uses
+@c as the return value.
 The @code{localeconv} function returns a pointer to a structure whose
 components contain information about how numeric and monetary values
 should be formatted in the current locale.
@@ -680,6 +815,9 @@ was introduced.
 @comment langinfo.h
 @comment XOPEN
 @deftypefun {char *} nl_langinfo (nl_item @var{item})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c It calls _nl_langinfo_l with the current locale, which returns a
+@c pointer into constant strings defined in locale data structures.
 The @code{nl_langinfo} function can be used to access individual
 elements of the locale categories.  Unlike the @code{localeconv}
 function, which returns all the information, @code{nl_langinfo}
@@ -974,6 +1112,11 @@ locale information, making it easier for the user to format
 numbers according to these rules.
 
 @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
+@c locale object passed to it, accesses the active locale through
+@c isdigit (but to_digit assumes ASCII digits only).  It may call
+@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
 The @code{strfmon} function is similar to the @code{strftime} function
 in that it takes a buffer, its size, a format string,
 and values to write into the buffer as text in a form specified

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6ff8451b08998b4f998ec7de43aee9148d46f3e5

commit 6ff8451b08998b4f998ec7de43aee9148d46f3e5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=85e757c54f47a0ada4f7a940c638b2bc7fb01572

commit 85e757c54f47a0ada4f7a940c638b2bc7fb01572
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bcc2df98a27754a19ee0747e55f39302dbf3970e

commit bcc2df98a27754a19ee0747e55f39302dbf3970e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=178585271fec5719c46b62c1a25f19cd9fd28655

commit 178585271fec5719c46b62c1a25f19cd9fd28655
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9c28ed5886790c4874d527aa2a775a299263bad5

commit 9c28ed5886790c4874d527aa2a775a299263bad5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e1924a257ca4ba889b69af5907ca22f235fac6c9

commit e1924a257ca4ba889b69af5907ca22f235fac6c9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=72821a94665b158372ee6c34fd6bbb938aeef580

commit 72821a94665b158372ee6c34fd6bbb938aeef580
Merge: 43f41eb 64c553b 0666d67
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:15:26 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=43f41eb88ab33518c953a83c270b7763a1a7d9ca

commit 43f41eb88ab33518c953a83c270b7763a1a7d9ca
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:15:26 2013 -0300

    push

diff --git a/meta b/meta
index 9edc3ae..f35c25f 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 12529c2df35ac3d6ba02740f56909653b341e1ee
-Head: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
+Previous: 64c553b3957d07dac3e3b7d45ff1b3c90e2bc1ab
+Head: 0666d6743488860ce4130ed89f79bdda045e1559
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -20,8 +20,8 @@ Applied:
   manual-document-mt-safety-lang.patch: 74404662e804550da523e8be4c8cbca7d1df1e4d
   manual-document-mt-safety-llio.patch: e500e6b451e90bcfa93b9ebc11eee98ff9948da4
   manual-document-mt-safety-stdio.patch: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
+  wip-manual-document-mt-safety-math.patch: 0666d6743488860ce4130ed89f79bdda045e1559
 Unapplied:
-  wip-manual-document-mt-safety-math.patch: 79a8df96fa61ec75e4a90255a008417f725c5009
   wip-manual-document-mt-safety-resource.patch: 37096c9f7bf26b43c6b010e9629edea7cb89d1e8
   wip-manual-document-mt-safety-startup.patch: 51a856392fd604dac2529a05ed2af3b71b37a583
   wip-manual-document-mt-safety-search.patch: e05d166acc5534804dd2ee0f91e25d85cb546685
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index e669a0c..3c5a4de 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 59fc607250a481aac5da87d4296f1783f949792b
-Top:    2a4babdd62df27c5861aa15305c7f516dc172d00
+Bottom: 642718307250c62d80e83e8ad81aafb696296a92
+Top:    96d250ae32036f1399b1ebae76631dbb2b62738d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:58 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0666d6743488860ce4130ed89f79bdda045e1559

commit 0666d6743488860ce4130ed89f79bdda045e1559
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=64c553b3957d07dac3e3b7d45ff1b3c90e2bc1ab

commit 64c553b3957d07dac3e3b7d45ff1b3c90e2bc1ab
Merge: a374f24 12529c2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:15:23 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a374f243eb8e322d6c7866d3472b0a6dbe9c0df4

commit a374f243eb8e322d6c7866d3472b0a6dbe9c0df4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:15:23 2013 -0300

    refresh

diff --git a/meta b/meta
index 3f6d984..9edc3ae 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 3306b8e77532778e80996946b743e7a2597b7ac3
-Head: d70ce76cacbd09402e1dda7e80d53b7e5c9131e3
+Previous: 12529c2df35ac3d6ba02740f56909653b341e1ee
+Head: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -20,7 +20,6 @@ Applied:
   manual-document-mt-safety-lang.patch: 74404662e804550da523e8be4c8cbca7d1df1e4d
   manual-document-mt-safety-llio.patch: e500e6b451e90bcfa93b9ebc11eee98ff9948da4
   manual-document-mt-safety-stdio.patch: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
-  refresh-temp: d70ce76cacbd09402e1dda7e80d53b7e5c9131e3
 Unapplied:
   wip-manual-document-mt-safety-math.patch: 79a8df96fa61ec75e4a90255a008417f725c5009
   wip-manual-document-mt-safety-resource.patch: 37096c9f7bf26b43c6b010e9629edea7cb89d1e8
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 8b10bb0..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,10 +0,0 @@
-Bottom: 642718307250c62d80e83e8ad81aafb696296a92
-Top:    642718307250c62d80e83e8ad81aafb696296a92
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 02:15:22 -0300
-
-Refresh of manual-document-mt-safety-stdio.patch
-
----
-
-

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=12529c2df35ac3d6ba02740f56909653b341e1ee

commit 12529c2df35ac3d6ba02740f56909653b341e1ee
Merge: 56b6f0e d70ce76 3306b8e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:15:22 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=56b6f0e1817f308ce4d018068855e8cc7fc6251e

commit 56b6f0e1817f308ce4d018068855e8cc7fc6251e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:15:22 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index d8e626a..3f6d984 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: f40ade1b782ebe21290e07078af9d9dd4cf650e4
-Head: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
+Previous: 3306b8e77532778e80996946b743e7a2597b7ac3
+Head: d70ce76cacbd09402e1dda7e80d53b7e5c9131e3
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -20,6 +20,7 @@ Applied:
   manual-document-mt-safety-lang.patch: 74404662e804550da523e8be4c8cbca7d1df1e4d
   manual-document-mt-safety-llio.patch: e500e6b451e90bcfa93b9ebc11eee98ff9948da4
   manual-document-mt-safety-stdio.patch: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
+  refresh-temp: d70ce76cacbd09402e1dda7e80d53b7e5c9131e3
 Unapplied:
   wip-manual-document-mt-safety-math.patch: 79a8df96fa61ec75e4a90255a008417f725c5009
   wip-manual-document-mt-safety-resource.patch: 37096c9f7bf26b43c6b010e9629edea7cb89d1e8
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..8b10bb0
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,10 @@
+Bottom: 642718307250c62d80e83e8ad81aafb696296a92
+Top:    642718307250c62d80e83e8ad81aafb696296a92
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 02:15:22 -0300
+
+Refresh of manual-document-mt-safety-stdio.patch
+
+---
+
+

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d70ce76cacbd09402e1dda7e80d53b7e5c9131e3

commit d70ce76cacbd09402e1dda7e80d53b7e5c9131e3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:15:22 2013 -0300

    Refresh of manual-document-mt-safety-stdio.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3306b8e77532778e80996946b743e7a2597b7ac3

commit 3306b8e77532778e80996946b743e7a2597b7ac3
Merge: 276b829 f40ade1 7c4dccb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:14:26 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=276b829db4064d267071c1ec522cfed6605f05ba

commit 276b829db4064d267071c1ec522cfed6605f05ba
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:14:26 2013 -0300

    refresh

diff --git a/meta b/meta
index 4f610c1..d8e626a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: aa02ff6c4de2577379ead8df4fb61b567a764ebb
-Head: 9af4c4c485694a7785aeb7154b5fa4dd419ca1fa
+Previous: f40ade1b782ebe21290e07078af9d9dd4cf650e4
+Head: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -19,8 +19,7 @@ Applied:
   manual-document-mt-safety-job.patch: 917a111878057a3254a5aae2a9e436e2da0521f2
   manual-document-mt-safety-lang.patch: 74404662e804550da523e8be4c8cbca7d1df1e4d
   manual-document-mt-safety-llio.patch: e500e6b451e90bcfa93b9ebc11eee98ff9948da4
-  manual-document-mt-safety-stdio.patch: 16bbb85f36fbb817d72e3dec082888129ba9cdf4
-  refresh-temp: 9af4c4c485694a7785aeb7154b5fa4dd419ca1fa
+  manual-document-mt-safety-stdio.patch: 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
 Unapplied:
   wip-manual-document-mt-safety-math.patch: 79a8df96fa61ec75e4a90255a008417f725c5009
   wip-manual-document-mt-safety-resource.patch: 37096c9f7bf26b43c6b010e9629edea7cb89d1e8
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 702eefe..bb2b074 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
 Bottom: 7fe65183ca01afbf35f279fb8a0031a5633d2a1e
-Top:    59fc607250a481aac5da87d4296f1783f949792b
+Top:    642718307250c62d80e83e8ad81aafb696296a92
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:03:58 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/stdio.texi b/manual/stdio.texi
-index 30630ca..dad1072 100644
+index 30630ca..9ffe87b 100644
 --- a/manual/stdio.texi
 +++ b/manual/stdio.texi
 @@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
@@ -672,7 +672,7 @@ index 30630ca..dad1072 100644
 +@c outchar ok
 +@c outstring ok
 +@c PAD ok
-+@c __printf_fp glocale memleak
++@c __printf_fp glocale, asmalloc, memleak
 +@c __printf_fphex glocale
 +@c __readonly_area
 +@c   [GNU/Linux] fopen, strtoul, free
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 1759be4..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,22 +0,0 @@
-Bottom: 59fc607250a481aac5da87d4296f1783f949792b
-Top:    642718307250c62d80e83e8ad81aafb696296a92
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 02:14:19 -0300
-
-Refresh of manual-document-mt-safety-stdio.patch
-
----
-
-diff --git a/manual/stdio.texi b/manual/stdio.texi
-index dad1072..9ffe87b 100644
---- a/manual/stdio.texi
-+++ b/manual/stdio.texi
-@@ -2680,7 +2680,7 @@ pointer @var{ap}.
- @c outchar ok
- @c outstring ok
- @c PAD ok
--@c __printf_fp glocale memleak
-+@c __printf_fp glocale, asmalloc, memleak
- @c __printf_fphex glocale
- @c __readonly_area
- @c   [GNU/Linux] fopen, strtoul, free

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f40ade1b782ebe21290e07078af9d9dd4cf650e4

commit f40ade1b782ebe21290e07078af9d9dd4cf650e4
Merge: 37d7582 9af4c4c aa02ff6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:14:24 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=37d75828ea79c956a1666a684604165204f3db61

commit 37d75828ea79c956a1666a684604165204f3db61
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:14:24 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index ffb7d28..4f610c1 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: aaf81fa9cc834eed1d89c7be11b0c01f6721c4dc
-Head: 16bbb85f36fbb817d72e3dec082888129ba9cdf4
+Previous: aa02ff6c4de2577379ead8df4fb61b567a764ebb
+Head: 9af4c4c485694a7785aeb7154b5fa4dd419ca1fa
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -20,6 +20,7 @@ Applied:
   manual-document-mt-safety-lang.patch: 74404662e804550da523e8be4c8cbca7d1df1e4d
   manual-document-mt-safety-llio.patch: e500e6b451e90bcfa93b9ebc11eee98ff9948da4
   manual-document-mt-safety-stdio.patch: 16bbb85f36fbb817d72e3dec082888129ba9cdf4
+  refresh-temp: 9af4c4c485694a7785aeb7154b5fa4dd419ca1fa
 Unapplied:
   wip-manual-document-mt-safety-math.patch: 79a8df96fa61ec75e4a90255a008417f725c5009
   wip-manual-document-mt-safety-resource.patch: 37096c9f7bf26b43c6b010e9629edea7cb89d1e8
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..1759be4
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,22 @@
+Bottom: 59fc607250a481aac5da87d4296f1783f949792b
+Top:    642718307250c62d80e83e8ad81aafb696296a92
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 02:14:19 -0300
+
+Refresh of manual-document-mt-safety-stdio.patch
+
+---
+
+diff --git a/manual/stdio.texi b/manual/stdio.texi
+index dad1072..9ffe87b 100644
+--- a/manual/stdio.texi
++++ b/manual/stdio.texi
+@@ -2680,7 +2680,7 @@ pointer @var{ap}.
+ @c outchar ok
+ @c outstring ok
+ @c PAD ok
+-@c __printf_fp glocale memleak
++@c __printf_fp glocale, asmalloc, memleak
+ @c __printf_fphex glocale
+ @c __readonly_area
+ @c   [GNU/Linux] fopen, strtoul, free

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9af4c4c485694a7785aeb7154b5fa4dd419ca1fa

commit 9af4c4c485694a7785aeb7154b5fa4dd419ca1fa
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:14:19 2013 -0300

    Refresh of manual-document-mt-safety-stdio.patch

diff --git a/manual/stdio.texi b/manual/stdio.texi
index dad1072..9ffe87b 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -2680,7 +2680,7 @@ pointer @var{ap}.
 @c outchar ok
 @c outstring ok
 @c PAD ok
-@c __printf_fp glocale memleak
+@c __printf_fp glocale, asmalloc, memleak
 @c __printf_fphex glocale
 @c __readonly_area
 @c   [GNU/Linux] fopen, strtoul, free

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=aa02ff6c4de2577379ead8df4fb61b567a764ebb

commit aa02ff6c4de2577379ead8df4fb61b567a764ebb
Merge: 05d37fc aaf81fa
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:04:09 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=05d37fca438c1f2d900d08b5010a0123026610a6

commit 05d37fca438c1f2d900d08b5010a0123026610a6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:04:09 2013 -0300

    goto

diff --git a/meta b/meta
index 210af6a..ffb7d28 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 8186f2187d685f4e0da68346579b07bb9c4a46ee
-Head: a972cbb641150922f5dea32a6f655e40414c86ff
+Previous: aaf81fa9cc834eed1d89c7be11b0c01f6721c4dc
+Head: 16bbb85f36fbb817d72e3dec082888129ba9cdf4
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -20,6 +20,7 @@ Applied:
   manual-document-mt-safety-lang.patch: 74404662e804550da523e8be4c8cbca7d1df1e4d
   manual-document-mt-safety-llio.patch: e500e6b451e90bcfa93b9ebc11eee98ff9948da4
   manual-document-mt-safety-stdio.patch: 16bbb85f36fbb817d72e3dec082888129ba9cdf4
+Unapplied:
   wip-manual-document-mt-safety-math.patch: 79a8df96fa61ec75e4a90255a008417f725c5009
   wip-manual-document-mt-safety-resource.patch: 37096c9f7bf26b43c6b010e9629edea7cb89d1e8
   wip-manual-document-mt-safety-startup.patch: 51a856392fd604dac2529a05ed2af3b71b37a583
@@ -29,5 +30,4 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: cd1c8927299a03be9624e0b1b54e049371da1500
   wip-manual-document-mt-safety-time.patch: 481d3df53d8c568232578ba58d71ddd6b461b9c6
   wip-manual-document-mt-safety-locale.patch: a972cbb641150922f5dea32a6f655e40414c86ff
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=aaf81fa9cc834eed1d89c7be11b0c01f6721c4dc

commit aaf81fa9cc834eed1d89c7be11b0c01f6721c4dc
Merge: e86251f a972cbb 8186f21
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:02:50 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e86251f76000b17cf0fc0f7427ee0516743ffa8a

commit e86251f76000b17cf0fc0f7427ee0516743ffa8a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:02:50 2013 -0300

    refresh

diff --git a/meta b/meta
index 060d2e7..210af6a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: c7d60029d83e9f2ee383fc6007fdd952bdf860bc
-Head: 3e21b59a0e7c43e42e3638ef01345ad3ecaed4bf
+Previous: 8186f2187d685f4e0da68346579b07bb9c4a46ee
+Head: a972cbb641150922f5dea32a6f655e40414c86ff
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -28,7 +28,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: fccffdf69a6e46c63ce9f4e7adc46b97cceb81c7
   wip-manual-document-mt-safety-threads.patch: cd1c8927299a03be9624e0b1b54e049371da1500
   wip-manual-document-mt-safety-time.patch: 481d3df53d8c568232578ba58d71ddd6b461b9c6
-  wip-manual-document-mt-safety-locale.patch: 96b965160d7c3558ccf87abf7f2fd853a03343e5
-  refresh-temp: 3e21b59a0e7c43e42e3638ef01345ad3ecaed4bf
+  wip-manual-document-mt-safety-locale.patch: a972cbb641150922f5dea32a6f655e40414c86ff
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 16d996b..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,46 +0,0 @@
-Bottom: b12b2150d8eb3125781678c67a6b9a49c40ecbc0
-Top:    e8326e9572adad124fcc425a1b12c12d00136c87
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-31 02:02:49 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index f07135e..dac8f2e 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -545,6 +545,10 @@ according to the selected locale using this information.
- @comment locale.h
- @comment ISO
- @deftypefun {struct lconv *} localeconv (void)
-+@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
-+@c This function reads from multiple components of the locale object,
-+@c without synchronization, while writing to the static buffer it uses
-+@c as the return value.
- The @code{localeconv} function returns a pointer to a structure whose
- components contain information about how numeric and monetary values
- should be formatted in the current locale.
-@@ -811,6 +815,9 @@ was introduced.
- @comment langinfo.h
- @comment XOPEN
- @deftypefun {char *} nl_langinfo (nl_item @var{item})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c It calls _nl_langinfo_l with the current locale, which returns a
-+@c pointer into constant strings defined in locale data structures.
- The @code{nl_langinfo} function can be used to access individual
- elements of the locale categories.  Unlike the @code{localeconv}
- function, which returns all the information, @code{nl_langinfo}
-@@ -1105,6 +1112,11 @@ locale information, making it easier for the user to format
- numbers according to these rules.
- 
- @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
-+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
-+@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
-+@c locale object passed to it, accesses the active locale through
-+@c isdigit (but to_digit assumes ASCII digits only).  It may call
-+@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
- The @code{strfmon} function is similar to the @code{strftime} function
- in that it takes a buffer, its size, a format string,
- and values to write into the buffer as text in a form specified
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 6fb8814..040f48b 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: b54fb6025438aaaf6c4da81f60d0bf50a69c2f70
-Top:    b12b2150d8eb3125781678c67a6b9a49c40ecbc0
+Top:    e8326e9572adad124fcc425a1b12c12d00136c87
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-31 01:04:01 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..f07135e 100644
+index 2f10fcd..dac8f2e 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
 @@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
@@ -154,3 +154,36 @@ index 2f10fcd..f07135e 100644
  The function @code{setlocale} sets the current locale for category
  @var{category} to @var{locale}.  A list of all the locales the system
  provides can be created by running
+@@ -414,6 +545,10 @@ according to the selected locale using this information.
+ @comment locale.h
+ @comment ISO
+ @deftypefun {struct lconv *} localeconv (void)
++@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
++@c This function reads from multiple components of the locale object,
++@c without synchronization, while writing to the static buffer it uses
++@c as the return value.
+ The @code{localeconv} function returns a pointer to a structure whose
+ components contain information about how numeric and monetary values
+ should be formatted in the current locale.
+@@ -680,6 +815,9 @@ was introduced.
+ @comment langinfo.h
+ @comment XOPEN
+ @deftypefun {char *} nl_langinfo (nl_item @var{item})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c It calls _nl_langinfo_l with the current locale, which returns a
++@c pointer into constant strings defined in locale data structures.
+ The @code{nl_langinfo} function can be used to access individual
+ elements of the locale categories.  Unlike the @code{localeconv}
+ function, which returns all the information, @code{nl_langinfo}
+@@ -974,6 +1112,11 @@ locale information, making it easier for the user to format
+ numbers according to these rules.
+ 
+ @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
++@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
++@c locale object passed to it, accesses the active locale through
++@c isdigit (but to_digit assumes ASCII digits only).  It may call
++@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
+ The @code{strfmon} function is similar to the @code{strftime} function
+ in that it takes a buffer, its size, a format string,
+ and values to write into the buffer as text in a form specified

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8186f2187d685f4e0da68346579b07bb9c4a46ee

commit 8186f2187d685f4e0da68346579b07bb9c4a46ee
Merge: 047d89e c7d6002 3e21b59
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:02:50 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=047d89e6abbbd4c344a93df7e8363f4e3b019fbe

commit 047d89e6abbbd4c344a93df7e8363f4e3b019fbe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:02:50 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 173aea3..060d2e7 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 274d255020884189382b12ecd37cdf8707241352
-Head: 96b965160d7c3558ccf87abf7f2fd853a03343e5
+Previous: c7d60029d83e9f2ee383fc6007fdd952bdf860bc
+Head: 3e21b59a0e7c43e42e3638ef01345ad3ecaed4bf
 Applied:
   unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
   remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: cd1c8927299a03be9624e0b1b54e049371da1500
   wip-manual-document-mt-safety-time.patch: 481d3df53d8c568232578ba58d71ddd6b461b9c6
   wip-manual-document-mt-safety-locale.patch: 96b965160d7c3558ccf87abf7f2fd853a03343e5
+  refresh-temp: 3e21b59a0e7c43e42e3638ef01345ad3ecaed4bf
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..16d996b
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,46 @@
+Bottom: b12b2150d8eb3125781678c67a6b9a49c40ecbc0
+Top:    e8326e9572adad124fcc425a1b12c12d00136c87
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-31 02:02:49 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index f07135e..dac8f2e 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -545,6 +545,10 @@ according to the selected locale using this information.
+ @comment locale.h
+ @comment ISO
+ @deftypefun {struct lconv *} localeconv (void)
++@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
++@c This function reads from multiple components of the locale object,
++@c without synchronization, while writing to the static buffer it uses
++@c as the return value.
+ The @code{localeconv} function returns a pointer to a structure whose
+ components contain information about how numeric and monetary values
+ should be formatted in the current locale.
+@@ -811,6 +815,9 @@ was introduced.
+ @comment langinfo.h
+ @comment XOPEN
+ @deftypefun {char *} nl_langinfo (nl_item @var{item})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c It calls _nl_langinfo_l with the current locale, which returns a
++@c pointer into constant strings defined in locale data structures.
+ The @code{nl_langinfo} function can be used to access individual
+ elements of the locale categories.  Unlike the @code{localeconv}
+ function, which returns all the information, @code{nl_langinfo}
+@@ -1105,6 +1112,11 @@ locale information, making it easier for the user to format
+ numbers according to these rules.
+ 
+ @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
++@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
++@c locale object passed to it, accesses the active locale through
++@c isdigit (but to_digit assumes ASCII digits only).  It may call
++@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
+ The @code{strfmon} function is similar to the @code{strftime} function
+ in that it takes a buffer, its size, a format string,
+ and values to write into the buffer as text in a form specified

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3e21b59a0e7c43e42e3638ef01345ad3ecaed4bf

commit 3e21b59a0e7c43e42e3638ef01345ad3ecaed4bf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 02:02:49 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index f07135e..dac8f2e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -545,6 +545,10 @@ according to the selected locale using this information.
 @comment locale.h
 @comment ISO
 @deftypefun {struct lconv *} localeconv (void)
+@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
+@c This function reads from multiple components of the locale object,
+@c without synchronization, while writing to the static buffer it uses
+@c as the return value.
 The @code{localeconv} function returns a pointer to a structure whose
 components contain information about how numeric and monetary values
 should be formatted in the current locale.
@@ -811,6 +815,9 @@ was introduced.
 @comment langinfo.h
 @comment XOPEN
 @deftypefun {char *} nl_langinfo (nl_item @var{item})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c It calls _nl_langinfo_l with the current locale, which returns a
+@c pointer into constant strings defined in locale data structures.
 The @code{nl_langinfo} function can be used to access individual
 elements of the locale categories.  Unlike the @code{localeconv}
 function, which returns all the information, @code{nl_langinfo}
@@ -1105,6 +1112,11 @@ locale information, making it easier for the user to format
 numbers according to these rules.
 
 @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
+@c locale object passed to it, accesses the active locale through
+@c isdigit (but to_digit assumes ASCII digits only).  It may call
+@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
 The @code{strfmon} function is similar to the @code{strftime} function
 in that it takes a buffer, its size, a format string,
 and values to write into the buffer as text in a form specified

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c7d60029d83e9f2ee383fc6007fdd952bdf860bc

commit c7d60029d83e9f2ee383fc6007fdd952bdf860bc
Merge: e6c6c01 96b9651 274d255
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:02 2013 -0300

    pull


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e6c6c013e96a76a5774c8f6b37478c36a8067fa3

commit e6c6c013e96a76a5774c8f6b37478c36a8067fa3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:02 2013 -0300

    pull

diff --git a/meta b/meta
index 9792083..173aea3 100644
--- a/meta
+++ b/meta
@@ -1,33 +1,33 @@
 Version: 1
-Previous: 4a1b658a629243592ceb4f42b4903286e96fbd9f
-Head: e9145a48fc85e7f29a8589f4c8185647d0907e34
+Previous: 274d255020884189382b12ecd37cdf8707241352
+Head: 96b965160d7c3558ccf87abf7f2fd853a03343e5
 Applied:
-  unused-scalb-is-scalbn.patch: 601f2444208808e1d17c679fa7a119ccb9db4254
-  remove-sysdeps-ieee754-support.patch: 34abea62b6ff2865a7f75c0d5186018b3a82899d
-  manual-document-mt-safety.patch: 400cde6651833f07505f9d1b935539ecac53f006
-  manual-document-mt-safety-argp.patch: e7b55795888c074364e9070adc34af37c58b1b70
-  manual-document-mt-safety-arith.patch: 6d1424edfa9fc55d9ae9188866fc4d07ca999ebb
-  manual-document-mt-safety-charset.patch: 57efa1b33f9b1d513d9f5af800c821485ad43bea
-  manual-document-mt-safety-conf.patch: 95d536639518ae7a6e106105e40e759ebaac1e85
-  manual-document-mt-safety-crypt.patch: bfd41b844cd2a718215b48d96bcfb88a593a3b58
-  manual-document-mt-safety-ctype.patch: bc57e1374fa217ebb08b3dc75c515873e34a230f
-  manual-document-mt-safety-debug.patch: 69023efa78bdaca363b5de32f56adea8ce05e13b
-  manual-document-mt-safety-errno.patch: 14586b49baa8cc3f7130be193d847967e9ce16d8
-  manual-document-mt-safety-filesys.patch: 455ec866c88f22881882323df735a2bdd7a2e5c8
-  manual-document-mt-safety-getopt.patch: 0b99c70c2cfa83e1c2f06765613650f7d0baa3cd
-  manual-document-mt-safety-libdl.patch: 756f4b7231c09a2f3330bfe8cef81cb9affbf4a4
-  manual-document-mt-safety-job.patch: 82c921e0fe0e03260273e0c3b9c534cb9ddc83ea
-  manual-document-mt-safety-lang.patch: 594da3770c027a01968fcfd3e459fc13bbdbf047
-  manual-document-mt-safety-llio.patch: 7fa5c0efde5f43928620b11438856b9174d41391
-  manual-document-mt-safety-stdio.patch: e8eca86a677a80f62b5bb0a17597cddf0a3cd9d5
-  wip-manual-document-mt-safety-math.patch: 305b77447b06df4c81a48a7f7dc0956ef8fe25e5
-  wip-manual-document-mt-safety-resource.patch: 944dd9eb606418530cc96cbaca0aaeb6ec89d590
-  wip-manual-document-mt-safety-startup.patch: 2df7a11143b0aec001575ef211e69f2fa271c61d
-  wip-manual-document-mt-safety-search.patch: 166b7eedb8e53f936ef842f708c68b2ac2394a76
-  wip-manual-document-mt-safety-string.patch: 13b20f6390fe51eabd827a7d4833df7c9b32f962
-  wip-manual-document-mt-safety-terminal.patch: 134a32db5ba4664731ebc1c2c15aaad32da69e07
-  wip-manual-document-mt-safety-threads.patch: 31e58276bacf72345d2bf27b274bcd254f615a4b
-  wip-manual-document-mt-safety-time.patch: 95da1194f415a13a61ce12c7439d411d990dc92e
-  wip-manual-document-mt-safety-locale.patch: e9145a48fc85e7f29a8589f4c8185647d0907e34
+  unused-scalb-is-scalbn.patch: 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
+  remove-sysdeps-ieee754-support.patch: 874e350341a8e14881907b059e6d988de123648f
+  manual-document-mt-safety.patch: 2241fe9399aa7805b0df7b4abe1de3923d100d96
+  manual-document-mt-safety-argp.patch: c8161f62379675acafc26a1733624d033cc4f6fd
+  manual-document-mt-safety-arith.patch: df0d63ac4db5760df6264dd7c070e46b4bc76bd5
+  manual-document-mt-safety-charset.patch: 5d13721f3fcad9209c33e8ce0d6640a3d334566c
+  manual-document-mt-safety-conf.patch: 468d2e671888f9b5ce639bef1016b1422f469830
+  manual-document-mt-safety-crypt.patch: 09ba3b7906d2614779c884c67726e86105a157d0
+  manual-document-mt-safety-ctype.patch: dbe30b42d6c674a6d02343411c9d29f4bbab2084
+  manual-document-mt-safety-debug.patch: 1aa7f3b6fc9a8771b43d3adb63e254f8caf5aa5b
+  manual-document-mt-safety-errno.patch: 3c03cf246bde895688e98b832b45fcc835a9d2dc
+  manual-document-mt-safety-filesys.patch: 76884a41c04d96b2e1bab16fd4f76157c306fc81
+  manual-document-mt-safety-getopt.patch: fdbe248de910c1e7ef9ae9b744eed8d658ac5d29
+  manual-document-mt-safety-libdl.patch: ac5bbc507973eb6ce1cd3b11d0456f31bdbea7d3
+  manual-document-mt-safety-job.patch: 917a111878057a3254a5aae2a9e436e2da0521f2
+  manual-document-mt-safety-lang.patch: 74404662e804550da523e8be4c8cbca7d1df1e4d
+  manual-document-mt-safety-llio.patch: e500e6b451e90bcfa93b9ebc11eee98ff9948da4
+  manual-document-mt-safety-stdio.patch: 16bbb85f36fbb817d72e3dec082888129ba9cdf4
+  wip-manual-document-mt-safety-math.patch: 79a8df96fa61ec75e4a90255a008417f725c5009
+  wip-manual-document-mt-safety-resource.patch: 37096c9f7bf26b43c6b010e9629edea7cb89d1e8
+  wip-manual-document-mt-safety-startup.patch: 51a856392fd604dac2529a05ed2af3b71b37a583
+  wip-manual-document-mt-safety-search.patch: e05d166acc5534804dd2ee0f91e25d85cb546685
+  wip-manual-document-mt-safety-string.patch: 18a4951c9cbf68f51a2dceaeb4cea3036f0ebea0
+  wip-manual-document-mt-safety-terminal.patch: fccffdf69a6e46c63ce9f4e7adc46b97cceb81c7
+  wip-manual-document-mt-safety-threads.patch: cd1c8927299a03be9624e0b1b54e049371da1500
+  wip-manual-document-mt-safety-time.patch: 481d3df53d8c568232578ba58d71ddd6b461b9c6
+  wip-manual-document-mt-safety-locale.patch: 96b965160d7c3558ccf87abf7f2fd853a03343e5
 Unapplied:
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 80f0acf..19a841c 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,7 +1,7 @@
-Bottom: 52f86982187c30275067463fb7a6064b54969139
-Top:    9592a99187853c02f7033b271de199e85012a53a
+Bottom: de2c04a442dec6e21ee6d15dbd2ee805641ff07d
+Top:    ff129fc9d64565ed78031aabdc52fa74cc712a35
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:39 -0300
+Date:   2013-08-31 01:03:53 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 862a159..8a95b2e 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,7 +1,7 @@
-Bottom: 9592a99187853c02f7033b271de199e85012a53a
-Top:    a46ac9b1deecd51710762b73ec64e2bb52a9d84b
+Bottom: ff129fc9d64565ed78031aabdc52fa74cc712a35
+Top:    7cb1b26f3679a5f6ca27301fc2d16f2a63ee47ca
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:39 -0300
+Date:   2013-08-31 01:03:54 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index 99f9422..73d46a8 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,7 +1,7 @@
-Bottom: a46ac9b1deecd51710762b73ec64e2bb52a9d84b
-Top:    bd7cc55350cfbbd116f5a730a8bef8f534c74b53
+Bottom: 7cb1b26f3679a5f6ca27301fc2d16f2a63ee47ca
+Top:    779a8294863d1b2690c20f0ca9f1daa8923465db
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:40 -0300
+Date:   2013-08-31 01:03:54 -0300
 
 Thread safety documentation.
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/charset.texi b/manual/charset.texi
-index e21502e..7e6c416 100644
+index 4042639..4301727 100644
 --- a/manual/charset.texi
 +++ b/manual/charset.texi
 @@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index a3e730f..c946ce7 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,7 +1,7 @@
-Bottom: bd7cc55350cfbbd116f5a730a8bef8f534c74b53
-Top:    cb52d0ad721c1624720477c9407cdb3fef52b742
+Bottom: 779a8294863d1b2690c20f0ca9f1daa8923465db
+Top:    09960a1143878b8e632424d99e7d937edf00b216
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:40 -0300
+Date:   2013-08-31 01:03:54 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index 1c47eff..de3f853 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,7 +1,7 @@
-Bottom: cb52d0ad721c1624720477c9407cdb3fef52b742
-Top:    cdcfad758945d3cea0d9f124bc38710c8fb23496
+Bottom: 09960a1143878b8e632424d99e7d937edf00b216
+Top:    7302ab50670533c78224e0116d828e5a16d3de27
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:41 -0300
+Date:   2013-08-31 01:03:55 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index e4c63c3..45957f6 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,7 +1,7 @@
-Bottom: cdcfad758945d3cea0d9f124bc38710c8fb23496
-Top:    e77fd4ac0a9784c71ac174e7dee32d3e2aa16184
+Bottom: 7302ab50670533c78224e0116d828e5a16d3de27
+Top:    61f991a4922eef0315de140d2138b6630c47e2bd
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:41 -0300
+Date:   2013-08-31 01:03:55 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index c6bc8da..950e552 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,7 +1,7 @@
-Bottom: e77fd4ac0a9784c71ac174e7dee32d3e2aa16184
-Top:    b33d6f51141d8f2f5e6b95c5eb48b46237ca4af9
+Bottom: 61f991a4922eef0315de140d2138b6630c47e2bd
+Top:    a82dc3aa9258d667b3a320290b024fa27de14d49
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:42 -0300
+Date:   2013-08-31 01:03:55 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index 072f554..375b5c7 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,7 +1,7 @@
-Bottom: b33d6f51141d8f2f5e6b95c5eb48b46237ca4af9
-Top:    0d10a649c4473d9a6fb609ec81fa26e8a629d061
+Bottom: a82dc3aa9258d667b3a320290b024fa27de14d49
+Top:    cd380e093eb8bd489394de0daad301f35820b2e8
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:43 -0300
+Date:   2013-08-31 01:03:55 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index aef66bc..147c536 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,7 +1,7 @@
-Bottom: 0d10a649c4473d9a6fb609ec81fa26e8a629d061
-Top:    e36ec2efcbfbb0271060509e53c1c357a9688a7f
+Bottom: cd380e093eb8bd489394de0daad301f35820b2e8
+Top:    157f057fc8982c458959738c2a2c8d76e6c12c7e
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:43 -0300
+Date:   2013-08-31 01:03:56 -0300
 
 Thread safety documentation.
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 814c210..c7eb13b 100644
+index 1cac453..182fd33 100644
 --- a/manual/filesys.texi
 +++ b/manual/filesys.texi
 @@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
@@ -406,7 +406,7 @@ index 814c210..c7eb13b 100644
  @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
 +@safety{@mtsafe{}@assafe{}@acsafe{}}
  This function is similar to @code{stat} but it is also able to work on
- files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ files larger than @math{2^31} bytes on 32-bit systems.  To be able to do
  this the result is stored in a variable of type @code{struct stat64} to
 @@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
  @comment sys/stat.h
@@ -449,7 +449,7 @@ index 814c210..c7eb13b 100644
 +@c Direct system call through lxstat64, sometimes with an xstat conv
 +@c call afterwards.
  This function is similar to @code{lstat} but it is also able to work on
- files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ files larger than @math{2^31} bytes on 32-bit systems.  To be able to do
  this the result is stored in a variable of type @code{struct stat64} to
 @@ -2007,12 +2132,14 @@ that file:
  @comment sys/stat.h
@@ -701,7 +701,7 @@ index 814c210..c7eb13b 100644
 +@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
  This function is similar to @code{tmpfile}, but the stream it returns a
  pointer to was opened using @code{tmpfile64}.  Therefore this stream can
- be used for files larger then @math{2^31} bytes on 32-bit machines.
+ be used for files larger than @math{2^31} bytes on 32-bit machines.
 @@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
  @comment stdio.h
  @comment ISO
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index f2ba59a..bcdbbf6 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,7 +1,7 @@
-Bottom: e36ec2efcbfbb0271060509e53c1c357a9688a7f
-Top:    070ad4074ca24a78565b334b04451ba020429abe
+Bottom: 157f057fc8982c458959738c2a2c8d76e6c12c7e
+Top:    ec1fe87f340be1e74d6dfed9db87effb228b388c
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:44 -0300
+Date:   2013-08-31 01:03:56 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index 85da9aa..9cca92e 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,7 +1,7 @@
-Bottom: 9fe02cfc9a3804b9559a551581b75c028f9b91bd
-Top:    ccbfd7f0cfb967e1801d4cd3f0d65b69ea3f11a4
+Bottom: 5b7b7d31d8b0edd9f840eb090384f78097436481
+Top:    9b155e11463623a6a0bb95400b2498182e34583a
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:50 -0300
+Date:   2013-08-31 01:03:57 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 3cd2f00..b53eeb2 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,7 +1,7 @@
-Bottom: ccbfd7f0cfb967e1801d4cd3f0d65b69ea3f11a4
-Top:    f7f7a15f0c84bba8877a582df6dbd055187a041c
+Bottom: 9b155e11463623a6a0bb95400b2498182e34583a
+Top:    9b7095b69b6581c1fcfb8e18046f496fbc149994
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:51 -0300
+Date:   2013-08-31 01:03:57 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 4affaf8..02605ec 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,7 +1,7 @@
-Bottom: 070ad4074ca24a78565b334b04451ba020429abe
-Top:    9fe02cfc9a3804b9559a551581b75c028f9b91bd
+Bottom: ec1fe87f340be1e74d6dfed9db87effb228b388c
+Top:    5b7b7d31d8b0edd9f840eb090384f78097436481
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:49 -0300
+Date:   2013-08-31 01:03:57 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 364aea5..f160a84 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,7 +1,7 @@
-Bottom: f7f7a15f0c84bba8877a582df6dbd055187a041c
-Top:    97e0541602be704b65a32187d99e52c3138d4d04
+Bottom: 9b7095b69b6581c1fcfb8e18046f496fbc149994
+Top:    7fe65183ca01afbf35f279fb8a0031a5633d2a1e
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:51 -0300
+Date:   2013-08-31 01:03:57 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index e6d842e..702eefe 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,7 +1,7 @@
-Bottom: 97e0541602be704b65a32187d99e52c3138d4d04
-Top:    71911a0d161093360cc979a0f75987e8706f33b6
+Bottom: 7fe65183ca01afbf35f279fb8a0031a5633d2a1e
+Top:    59fc607250a481aac5da87d4296f1783f949792b
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:52 -0300
+Date:   2013-08-31 01:03:58 -0300
 
 Thread safety documentation.
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/stdio.texi b/manual/stdio.texi
-index 3f9be9bc5..5667af3 100644
+index 30630ca..dad1072 100644
 --- a/manual/stdio.texi
 +++ b/manual/stdio.texi
 @@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
@@ -32,7 +32,7 @@ index 3f9be9bc5..5667af3 100644
 +@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
  This function is similar to @code{fopen} but the stream it returns a
  pointer for is opened using @code{open64}.  Therefore this stream can be
- used even on files larger then @math{2^31} bytes on 32 bit machines.
+ used even on files larger than @math{2^31} bytes on 32 bit machines.
 @@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
  @comment stdio.h
  @comment ISO
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index ff2b700..9d5b78a 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,7 +1,7 @@
-Bottom: 98aee56c2b6c46ef89db799efabe6ab30c9729a1
-Top:    52f86982187c30275067463fb7a6064b54969139
+Bottom: fbc726828e79b09120a7ad26f8023c8e3d2b938a
+Top:    de2c04a442dec6e21ee6d15dbd2ee805641ff07d
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:37 -0300
+Date:   2013-08-31 01:03:53 -0300
 
 Thread safety documentation.
 
diff --git a/patches/remove-sysdeps-ieee754-support.patch b/patches/remove-sysdeps-ieee754-support.patch
index ce4346c..42439af 100644
--- a/patches/remove-sysdeps-ieee754-support.patch
+++ b/patches/remove-sysdeps-ieee754-support.patch
@@ -1,7 +1,7 @@
-Bottom: a37ea8d691d49aaa2e36925f64cadc88674f1b39
-Top:    98aee56c2b6c46ef89db799efabe6ab30c9729a1
+Bottom: 9214bdbc43d0e9ed1e61845468d28bc264d090eb
+Top:    fbc726828e79b09120a7ad26f8023c8e3d2b938a
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:36 -0300
+Date:   2013-08-31 01:03:53 -0300
 
 Remove unused sysdeps/ieee754/support.c.
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 2bc2eea..9c88c0f 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,7 +1,7 @@
-Bottom: ca1315b0033f11c3f3d8879e9e0fb14d71dadf3b
-Top:    a37ea8d691d49aaa2e36925f64cadc88674f1b39
+Bottom: 02fc799233452f582117de740b583117f983882b
+Top:    9214bdbc43d0e9ed1e61845468d28bc264d090eb
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:34 -0300
+Date:   2013-08-31 01:03:52 -0300
 
 Rename unused scalb to scalbn to match prototype.
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index cae2acb..6fb8814 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,7 +1,7 @@
-Bottom: f528b7b2631aa970b7a9c2868269f120e51ddf6f
-Top:    8302a915c7103c415d81e3db9b4e0b9db02bb42b
+Bottom: b54fb6025438aaaf6c4da81f60d0bf50a69c2f70
+Top:    b12b2150d8eb3125781678c67a6b9a49c40ecbc0
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:13:05 -0300
+Date:   2013-08-31 01:04:01 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 77b2631..e669a0c 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,7 +1,7 @@
-Bottom: 71911a0d161093360cc979a0f75987e8706f33b6
-Top:    48f3dc76c3e3461d4a79137423312ee9d4a99ee0
+Bottom: 59fc607250a481aac5da87d4296f1783f949792b
+Top:    2a4babdd62df27c5861aa15305c7f516dc172d00
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:52 -0300
+Date:   2013-08-31 01:03:58 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index ee57db1..282cdf8 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,7 +1,7 @@
-Bottom: 48f3dc76c3e3461d4a79137423312ee9d4a99ee0
-Top:    fe2388feda441b099b6db701fab60199b9a385f0
+Bottom: 2a4babdd62df27c5861aa15305c7f516dc172d00
+Top:    8454b90778b1ebde46471a8e807c55534059dee4
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:53 -0300
+Date:   2013-08-31 01:03:59 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index a4722b4..ec0a5e5 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,7 +1,7 @@
-Bottom: 54f51cc24c8038bf966957936a78214bb4001b07
-Top:    aa3dbf5537f25ecc771448e84d89b4535b1c6f70
+Bottom: 5c2e4fd6e27fcf98265b31f0b27f64539262961f
+Top:    9bb36bae725f82fa35390671a43725efcd84ec88
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:54 -0300
+Date:   2013-08-31 01:03:59 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 7f82f0a..78a28cb 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,7 +1,7 @@
-Bottom: fe2388feda441b099b6db701fab60199b9a385f0
-Top:    54f51cc24c8038bf966957936a78214bb4001b07
+Bottom: 8454b90778b1ebde46471a8e807c55534059dee4
+Top:    5c2e4fd6e27fcf98265b31f0b27f64539262961f
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:53 -0300
+Date:   2013-08-31 01:03:59 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index f8b1f7d..8eca966 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,7 +1,7 @@
-Bottom: aa3dbf5537f25ecc771448e84d89b4535b1c6f70
-Top:    df309a874addf70b8a7a1debf3b0de3512d70a58
+Bottom: 9bb36bae725f82fa35390671a43725efcd84ec88
+Top:    f2dc9605a7f5fc5e97f7243ee13b18c3e34fe5e3
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:12:54 -0300
+Date:   2013-08-31 01:04:00 -0300
 
 Thread safety documentation.
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/string.texi b/manual/string.texi
-index 246be84..1408033 100644
+index 2a164a9..173306c 100644
 --- a/manual/string.texi
 +++ b/manual/string.texi
 @@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index cf5d100..b00c262 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,7 +1,7 @@
-Bottom: df309a874addf70b8a7a1debf3b0de3512d70a58
-Top:    113ab3d6e3ff6f9318e93ab05c0aca48dd213a9e
+Bottom: f2dc9605a7f5fc5e97f7243ee13b18c3e34fe5e3
+Top:    1d8bfc5bb628af156d0866fcd40fe986599d3a7c
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:13:02 -0300
+Date:   2013-08-31 01:04:00 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 9aecb4a..33794ed 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,7 +1,7 @@
-Bottom: 113ab3d6e3ff6f9318e93ab05c0aca48dd213a9e
-Top:    004b08ebe327a6ae66f437a41c9ef84820f7f127
+Bottom: 1d8bfc5bb628af156d0866fcd40fe986599d3a7c
+Top:    5c6fad90032135d6828414f74e8eae1b8bcf1954
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:13:03 -0300
+Date:   2013-08-31 01:04:00 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 0271f4f..877577b 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,7 +1,7 @@
-Bottom: 004b08ebe327a6ae66f437a41c9ef84820f7f127
-Top:    f528b7b2631aa970b7a9c2868269f120e51ddf6f
+Bottom: 5c6fad90032135d6828414f74e8eae1b8bcf1954
+Top:    b54fb6025438aaaf6c4da81f60d0bf50a69c2f70
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:13:04 -0300
+Date:   2013-08-31 01:04:00 -0300
 
 Thread safety documentation.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a972cbb641150922f5dea32a6f655e40414c86ff

commit a972cbb641150922f5dea32a6f655e40414c86ff
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:01 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..dac8f2e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
@@ -414,6 +545,10 @@ according to the selected locale using this information.
 @comment locale.h
 @comment ISO
 @deftypefun {struct lconv *} localeconv (void)
+@safety{@mtunsafe{staticbuf, glocale}@assafe{}@acsafe{}}
+@c This function reads from multiple components of the locale object,
+@c without synchronization, while writing to the static buffer it uses
+@c as the return value.
 The @code{localeconv} function returns a pointer to a structure whose
 components contain information about how numeric and monetary values
 should be formatted in the current locale.
@@ -680,6 +815,9 @@ was introduced.
 @comment langinfo.h
 @comment XOPEN
 @deftypefun {char *} nl_langinfo (nl_item @var{item})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c It calls _nl_langinfo_l with the current locale, which returns a
+@c pointer into constant strings defined in locale data structures.
 The @code{nl_langinfo} function can be used to access individual
 elements of the locale categories.  Unlike the @code{localeconv}
 function, which returns all the information, @code{nl_langinfo}
@@ -974,6 +1112,11 @@ locale information, making it easier for the user to format
 numbers according to these rules.
 
 @deftypefun ssize_t strfmon (char *@var{s}, size_t @var{maxsize}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c It (and strfmon_l) both call vstrfmon_l, which, besides accessing the
+@c locale object passed to it, accesses the active locale through
+@c isdigit (but to_digit assumes ASCII digits only).  It may call
+@c __printf_fp (glocale, asmalloc, memleak) and guess_grouping (safe).
 The @code{strfmon} function is similar to the @code{strftime} function
 in that it takes a buffer, its size, a format string,
 and values to write into the buffer as text in a form specified

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=96b965160d7c3558ccf87abf7f2fd853a03343e5

commit 96b965160d7c3558ccf87abf7f2fd853a03343e5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:01 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..f07135e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=481d3df53d8c568232578ba58d71ddd6b461b9c6

commit 481d3df53d8c568232578ba58d71ddd6b461b9c6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cd1c8927299a03be9624e0b1b54e049371da1500

commit cd1c8927299a03be9624e0b1b54e049371da1500
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fccffdf69a6e46c63ce9f4e7adc46b97cceb81c7

commit fccffdf69a6e46c63ce9f4e7adc46b97cceb81c7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=18a4951c9cbf68f51a2dceaeb4cea3036f0ebea0

commit 18a4951c9cbf68f51a2dceaeb4cea3036f0ebea0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:04:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 2a164a9..173306c 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1646,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2686,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e05d166acc5534804dd2ee0f91e25d85cb546685

commit e05d166acc5534804dd2ee0f91e25d85cb546685
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=51a856392fd604dac2529a05ed2af3b71b37a583

commit 51a856392fd604dac2529a05ed2af3b71b37a583
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=37096c9f7bf26b43c6b010e9629edea7cb89d1e8

commit 37096c9f7bf26b43c6b010e9629edea7cb89d1e8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7c4dccbbd275011bd7e03d69e5026089a03dbc7b

commit 7c4dccbbd275011bd7e03d69e5026089a03dbc7b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:58 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 30630ca..9ffe87b 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger than @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,12 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Besides the usual possibility of getting an inconsistent stream in a
+@c signal handler or leaving it inconsistent in case of cancellation,
+@c the possibility of leaving a dangling pointer upon cancellation
+@c between reallocing the buffer at *lineptr and updating the pointer
+@c brings about another case of incansist.
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c See the getline incansist note.
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1347,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1371,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1397,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1407,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1417,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1508,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1546,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1605,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1621,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1631,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1641,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2383,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2393,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2403,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2411,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2419,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2444,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2469,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2540,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2573,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2644,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2653,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2662,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale, asmalloc, memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2711,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2719,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2727,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2735,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2743,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2751,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2827,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3068,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3320,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3384,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +4001,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4016,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4031,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4039,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4047,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4061,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4088,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4097,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4106,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4114,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4122,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4130,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4180,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4190,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4204,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4215,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4243,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4254,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4368,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4381,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4405,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4421,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4441,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4465,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4514,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4636,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4651,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4664,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4681,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4793,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4806,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4823,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4845,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4870,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4948,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4962,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4974,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4989,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +5003,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5014,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5062,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5118,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5234,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5416,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5557,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=16bbb85f36fbb817d72e3dec082888129ba9cdf4

commit 16bbb85f36fbb817d72e3dec082888129ba9cdf4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:58 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 30630ca..dad1072 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger than @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,12 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Besides the usual possibility of getting an inconsistent stream in a
+@c signal handler or leaving it inconsistent in case of cancellation,
+@c the possibility of leaving a dangling pointer upon cancellation
+@c between reallocing the buffer at *lineptr and updating the pointer
+@c brings about another case of incansist.
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c See the getline incansist note.
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1347,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1371,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1397,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1407,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1417,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1508,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1546,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1605,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1621,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1631,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1641,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2383,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2393,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2403,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2411,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2419,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2444,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2469,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2540,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2573,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2644,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2653,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2662,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2711,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2719,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2727,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2735,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2743,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2751,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2827,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3068,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3320,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3384,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +4001,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4016,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4031,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4039,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4047,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4061,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4088,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4097,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4106,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4114,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4122,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4130,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4180,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4190,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4204,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4215,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4243,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4254,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4368,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4381,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4405,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4421,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4441,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4465,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4514,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4636,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4651,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4664,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4681,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4793,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4806,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4823,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4845,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4870,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4948,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4962,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4974,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4989,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +5003,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5014,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5062,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5118,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5234,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5416,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5557,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=79a8df96fa61ec75e4a90255a008417f725c5009

commit 79a8df96fa61ec75e4a90255a008417f725c5009
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:58 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e500e6b451e90bcfa93b9ebc11eee98ff9948da4

commit e500e6b451e90bcfa93b9ebc11eee98ff9948da4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:57 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..c350585 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,6 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
@@ -1089,6 +1122,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1187,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1307,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1326,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1353,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1401,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1450,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1577,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1585,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1597,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1609,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1622,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1728,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1744,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1782,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1984,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2201,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2220,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2287,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2309,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2398,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2427,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2449,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2463,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2487,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2516,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2566,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2593,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2634,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2662,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2719,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2775,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2811,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2894,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2903,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3882,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3902,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=74404662e804550da523e8be4c8cbca7d1df1e4d

commit 74404662e804550da523e8be4c8cbca7d1df1e4d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:57 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=917a111878057a3254a5aae2a9e436e2da0521f2

commit 917a111878057a3254a5aae2a9e436e2da0521f2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:57 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..2c46771 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,6 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
@@ -1134,6 +1145,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1154,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1164,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1188,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1227,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1251,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1281,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1322,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ac5bbc507973eb6ce1cd3b11d0456f31bdbea7d3

commit ac5bbc507973eb6ce1cd3b11d0456f31bdbea7d3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:57 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d11a5f289468002d2e001e32fbc1db8a8ab6004d

commit d11a5f289468002d2e001e32fbc1db8a8ab6004d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:56 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1cac453..cd23ff6 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the
 file.  This structure is associated with the @var{dirstream} handle
@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is a version of @code{readdir} which performs internal
 locking.  Like @code{readdir} it returns the next entry from the
 directory.  To prevent conflicts between simultaneously running
@@ -549,6 +591,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -630,6 +683,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -649,6 +706,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -679,6 +749,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Calls strverscmp, which will evaluate .
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{glocale}@asunsafe{asmalloc}@acsafe{memleak}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -913,6 +993,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1223,6 +1320,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1282,6 +1380,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1323,6 +1423,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1404,6 +1507,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1908,6 +2020,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger than @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1942,6 +2056,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1969,6 +2091,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger than @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -2007,12 +2132,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -2020,6 +2147,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -2027,12 +2155,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2765,6 +2907,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2830,6 +2979,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2846,6 +2998,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger than @math{2^31} bytes on 32-bit machines.
@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3225,6 +3413,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat (there's a commented-out safety assessment for this one)
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=76884a41c04d96b2e1bab16fd4f76157c306fc81

commit 76884a41c04d96b2e1bab16fd4f76157c306fc81
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:56 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1cac453..182fd33 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the
 file.  This structure is associated with the @var{dirstream} handle
@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is a version of @code{readdir} which performs internal
 locking.  Like @code{readdir} it returns the next entry from the
 directory.  To prevent conflicts between simultaneously running
@@ -549,6 +591,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -630,6 +683,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -649,6 +706,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -679,6 +749,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -913,6 +993,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1223,6 +1320,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1282,6 +1380,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1323,6 +1423,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1404,6 +1507,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1908,6 +2020,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger than @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1942,6 +2056,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1969,6 +2091,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger than @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -2007,12 +2132,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -2020,6 +2147,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -2027,12 +2155,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2765,6 +2907,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2830,6 +2979,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2846,6 +2998,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger than @math{2^31} bytes on 32-bit machines.
@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3225,6 +3413,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat (there's a commented-out safety assessment for this one)
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fdbe248de910c1e7ef9ae9b744eed8d658ac5d29

commit fdbe248de910c1e7ef9ae9b744eed8d658ac5d29
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:56 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3c03cf246bde895688e98b832b45fcc835a9d2dc

commit 3c03cf246bde895688e98b832b45fcc835a9d2dc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1aa7f3b6fc9a8771b43d3adb63e254f8caf5aa5b

commit 1aa7f3b6fc9a8771b43d3adb63e254f8caf5aa5b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dbe30b42d6c674a6d02343411c9d29f4bbab2084

commit dbe30b42d6c674a6d02343411c9d29f4bbab2084
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=09ba3b7906d2614779c884c67726e86105a157d0

commit 09ba3b7906d2614779c884c67726e86105a157d0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..a3c8fa5 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,6 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
@@ -127,6 +134,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +202,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +250,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +266,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +281,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +300,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +382,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +409,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=468d2e671888f9b5ce639bef1016b1422f469830

commit 468d2e671888f9b5ce639bef1016b1422f469830
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:54 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index c720063..79bfcdb 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1348,6 +1359,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1375,6 +1391,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1624,6 +1642,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5d13721f3fcad9209c33e8ce0d6640a3d334566c

commit 5d13721f3fcad9209c33e8ce0d6640a3d334566c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:54 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index 4042639..4301727 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=df0d63ac4db5760df6264dd7c070e46b4bc76bd5

commit df0d63ac4db5760df6264dd7c070e46b4bc76bd5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:54 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..c0cd350 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c8161f62379675acafc26a1733624d033cc4f6fd

commit c8161f62379675acafc26a1733624d033cc4f6fd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..22e7b9e 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2241fe9399aa7805b0df7b4abe1de3923d100d96

commit 2241fe9399aa7805b0df7b4abe1de3923d100d96
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:53 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..c3142ad 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,434 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{oncesafe}
+@cindex oncesafe
+
+Functions marked with @code{oncesafe} use the internal @code{libc_once}
+machinery to initialize internal data structures.
+
+If a signal handler interrupts such an initializer, and calls any
+function that also performs @code{libc_once} initialization, it will
+deadlock if the thread library is linked in.
+
+Furthermore, if an initializer is partially complete before it is
+canceled or interrupted by a signal whose handler requires the same
+initialization, some or all of the initialization may be performed more
+than once, leaking resources or even result in corrupt internal data
+structures.
+
+Applications that need to call functions marked with @code{oncesafe}
+should ensure the initialization is performed before configuring signal
+handlers or enabling cancellation, so that the AS- and AC-Safety issues
+related with @code{libc_once} do not arise.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards that could guarantee consistency.  To
+ensure MT- and AS-Safe behavior, callers must ensure that the objects
+passed in are not modified concurrently by other threads or signal
+handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+properties we documented are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=874e350341a8e14881907b059e6d988de123648f

commit 874e350341a8e14881907b059e6d988de123648f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:53 2013 -0300

    Remove unused sysdeps/ieee754/support.c.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c: Remove.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
deleted file mode 100644
index 0bbd892..0000000
--- a/sysdeps/ieee754/support.c
+++ /dev/null
@@ -1,520 +0,0 @@
-/*
- * Copyright (c) 1985, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
-#endif /* not lint */
-
-/*
- * Some IEEE standard 754 recommended functions and remainder and sqrt for
- * supporting the C elementary functions.
- ******************************************************************************
- * WARNING:
- *      These codes are developed (in double) to support the C elementary
- * functions temporarily. They are not universal, and some of them are very
- * slow (in particular, drem and sqrt is extremely inefficient). Each
- * computer system should have its implementation of these functions using
- * its own assembler.
- ******************************************************************************
- *
- * IEEE 754 required operations:
- *     drem(x,p)
- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
- *              nearest x/y; in half way case, choose the even one.
- *     sqrt(x)
- *              returns the square root of x correctly rounded according to
- *		the rounding mod.
- *
- * IEEE 754 recommended functions:
- * (a) copysign(x,y)
- *              returns x with the sign of y.
- * (b) scalb(x,N)
- *              returns  x * (2**N), for integer values N.
- * (c) logb(x)
- *              returns the unbiased exponent of x, a signed integer in
- *              double precision, except that logb(0) is -INF, logb(INF)
- *              is +INF, and logb(NAN) is that NAN.
- * (d) finite(x)
- *              returns the value TRUE if -INF < x < +INF and returns
- *              FALSE otherwise.
- *
- *
- * CODED IN C BY K.C. NG, 11/25/84;
- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
- */
-
-#include "mathimpl.h"
-
-#if defined(vax)||defined(tahoe)      /* VAX D format */
-#include <errno.h>
-    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
-    static const short  prep1=57, gap=7, bias=129           ;
-    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
-#else	/* defined(vax)||defined(tahoe) */
-    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
-    static const short prep1=54, gap=4, bias=1023           ;
-    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
-#endif	/* defined(vax)||defined(tahoe) */
-
-double scalbn(x,N)
-double x; int N;
-{
-        int k;
-
-#ifdef national
-        unsigned short *px=(unsigned short *) &x + 3;
-#else	/* national */
-        unsigned short *px=(unsigned short *) &x;
-#endif	/* national */
-
-        if( x == zero )  return(x);
-
-#if defined(vax)||defined(tahoe)
-        if( (k= *px & mexp ) != ~msign ) {
-            if (N < -260)
-		return(nunf*nunf);
-	    else if (N > 260) {
-		return(copysign(infnan(ERANGE),x));
-	    }
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp ) {
-            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
-            if( k == 0 ) {
-                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
-#endif	/* defined(vax)||defined(tahoe) */
-
-            if((k = (k>>gap)+ N) > 0 )
-                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
-                else x=novf+novf;               /* overflow */
-            else
-                if( k > -prep1 )
-                                        /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
-                else
-                return(nunf*nunf);
-            }
-        return(x);
-}
-
-
-double copysign(x,y)
-double x,y;
-{
-#ifdef national
-        unsigned short  *px=(unsigned short *) &x+3,
-                        *py=(unsigned short *) &y+3;
-#else	/* national */
-        unsigned short  *px=(unsigned short *) &x,
-                        *py=(unsigned short *) &y;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        if ( (*px & mexp) == 0 ) return(x);
-#endif	/* defined(vax)||defined(tahoe) */
-
-        *px = ( *px & msign ) | ( *py & ~msign );
-        return(x);
-}
-
-double logb(x)
-double x;
-{
-
-#ifdef national
-        short *px=(short *) &x+3, k;
-#else	/* national */
-        short *px=(short *) &x, k;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        return (int)(((*px&mexp)>>gap)-bias);
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp )
-            if ( k != 0 )
-                return ( (k>>gap) - bias );
-            else if( x != zero)
-                return ( -1022.0 );
-            else
-                return(-(1.0/zero));
-        else if(x != x)
-            return(x);
-        else
-            {*px &= msign; return(x);}
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-finite(x)
-double x;
-{
-#if defined(vax)||defined(tahoe)
-        return(1);
-#else	/* defined(vax)||defined(tahoe) */
-#ifdef national
-        return( (*((short *) &x+3 ) & mexp ) != mexp );
-#else	/* national */
-        return( (*((short *) &x ) & mexp ) != mexp );
-#endif	/* national */
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-double drem(x,p)
-double x,p;
-{
-        short sign;
-        double hp,dp,tmp;
-        unsigned short  k;
-#ifdef national
-        unsigned short
-              *px=(unsigned short *) &x  +3,
-              *pp=(unsigned short *) &p  +3,
-              *pd=(unsigned short *) &dp +3,
-              *pt=(unsigned short *) &tmp+3;
-#else	/* national */
-        unsigned short
-              *px=(unsigned short *) &x  ,
-              *pp=(unsigned short *) &p  ,
-              *pd=(unsigned short *) &dp ,
-              *pt=(unsigned short *) &tmp;
-#endif	/* national */
-
-        *pp &= msign ;
-
-#if defined(vax)||defined(tahoe)
-        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *px & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		return  (x-p)-(x-p);	/* create nan if x is inf */
-	if (p == zero) {
-#if defined(vax)||defined(tahoe)
-		return(infnan(EDOM));
-#else	/* defined(vax)||defined(tahoe) */
-		return zero/zero;
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-#if defined(vax)||defined(tahoe)
-        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *pp & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		{ if (p != p) return p; else return x;}
-
-        else  if ( ((*pp & mexp)>>gap) <= 1 )
-                /* subnormal p, or almost subnormal p */
-            { double b; b=scalbn(1.0,(int)prep1);
-              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
-        else  if ( p >= novf/2)
-            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
-        else
-            {
-                dp=p+p; hp=p/2;
-                sign= *px & ~msign ;
-                *px &= msign       ;
-                while ( x > dp )
-                    {
-                        k=(*px & mexp) - (*pd & mexp) ;
-                        tmp = dp ;
-                        *pt += k ;
-
-#if defined(vax)||defined(tahoe)
-                        if( x < tmp ) *pt -= 128 ;
-#else	/* defined(vax)||defined(tahoe) */
-                        if( x < tmp ) *pt -= 16 ;
-#endif	/* defined(vax)||defined(tahoe) */
-
-                        x -= tmp ;
-                    }
-                if ( x > hp )
-                    { x -= p ;  if ( x >= hp ) x -= p ; }
-
-#if defined(vax)||defined(tahoe)
-		if (x)
-#endif	/* defined(vax)||defined(tahoe) */
-			*px ^= sign;
-                return( x);
-
-            }
-}
-
-
-double sqrt(x)
-double x;
-{
-        double q,s,b,r;
-        double t;
-	double const zero=0.0;
-        int m,n,i;
-#if defined(vax)||defined(tahoe)
-        int k=54;
-#else	/* defined(vax)||defined(tahoe) */
-        int k=51;
-#endif	/* defined(vax)||defined(tahoe) */
-
-    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-        if(x!=x||x==zero) return(x);
-
-    /* sqrt(negative) is invalid */
-        if(x<zero) {
-#if defined(vax)||defined(tahoe)
-		return (infnan(EDOM));	/* NaN */
-#else	/* defined(vax)||defined(tahoe) */
-		return(zero/zero);
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-    /* sqrt(INF) is INF */
-        if(!finite(x)) return(x);
-
-    /* scale x to [1,4) */
-        n=logb(x);
-        x=scalbn(x,-n);
-        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
-        m += n;
-        n = m/2;
-        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
-
-    /* generate sqrt(x) bit by bit (accumulating in q) */
-            q=1.0; s=4.0; x -= 1.0; r=1;
-            for(i=1;i<=k;i++) {
-                t=s+1; x *= 4; r /= 2;
-                if(t<=x) {
-                    s=t+t+2, x -= t; q += r;}
-                else
-                    s *= 2;
-                }
-
-    /* generate the last bit and determine the final rounding */
-            r/=2; x *= 4;
-            if(x==zero) goto end; 100+r; /* trigger inexact flag */
-            if(s<x) {
-                q+=r; x -=s; s += 2; s *= 2; x *= 4;
-                t = (x-s)-5;
-                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
-                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
-                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
-            else {
-                s *= 2; x *= 4;
-                t = (x-s)-1;
-                b=1.0+3*r/4; if(b==1.0) goto end;
-                b=1.0+r/4;   if(b>1.0) t=1;
-                if(t>=0) q+=r; }
-
-end:        return(scalbn(q,n));
-}
-
-#if 0
-/* DREM(X,Y)
- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
- * INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions (not on a VAX):
- *     swapINX(i): save inexact flag and reset it to "i"
- *     swapENI(e): save inexact enable and reset it to "e"
- */
-
-double drem(x,y)
-double x,y;
-{
-
-#ifdef national		/* order of words in floating point number */
-	static const n0=3,n1=2,n2=1,n3=0;
-#else /* VAX, SUN, ZILOG, TAHOE */
-	static const n0=0,n1=1,n2=2,n3=3;
-#endif
-
-	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
-	static const double zero=0.0;
-	double hy,y1,t,t1;
-	short k;
-	long n;
-	int i,e;
-	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
-			nx,nf,	  *py  =(unsigned short *) &y  ,
-			sign,	  *pt  =(unsigned short *) &t  ,
-				  *pt1 =(unsigned short *) &t1 ;
-
-	xexp = px[n0] & mexp ;	/* exponent of x */
-	yexp = py[n0] & mexp ;	/* exponent of y */
-	sign = px[n0] &0x8000;	/* sign of x     */
-
-/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
-	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
-	if( xexp == mexp )   return(zero/zero);      /* x is INF */
-	if(y==zero) return(y/y);
-
-/* save the inexact flag and inexact enable in i and e respectively
- * and reset them to zero
- */
-	i=swapINX(0);	e=swapENI(0);
-
-/* subnormal number */
-	nx=0;
-	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
-
-/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
-	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
-
-	nf=nx;
-	py[n0] &= 0x7fff;
-	px[n0] &= 0x7fff;
-
-/* mask off the least significant 27 bits of y */
-	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
-
-/* LOOP: argument reduction on x whenever x > y */
-loop:
-	while ( x > y )
-	{
-	    t=y;
-	    t1=y1;
-	    xexp=px[n0]&mexp;	  /* exponent of x */
-	    k=xexp-yexp-m25;
-	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
-		{pt[n0]+=k;pt1[n0]+=k;}
-	    n=x/t; x=(x-n*t1)-n*(t-t1);
-	}
-    /* end while (x > y) */
-
-	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
-
-/* final adjustment */
-
-	hy=y/2.0;
-	if(x>hy||((x==hy)&&n%2==1)) x-=y;
-	px[n0] ^= sign;
-	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
-
-/* restore inexact flag and inexact enable */
-	swapINX(i); swapENI(e);
-
-	return(x);
-}
-#endif
-
-#if 0
-/* SQRT
- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/22/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions:
- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
- */
-
-static const unsigned long table[] = {
-0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
-58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
-21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
-
-double newsqrt(x)
-double x;
-{
-        double y,z,t,addc(),subc()
-	double const b54=134217728.*134217728.; /* b54=2**54 */
-        long mx,scalx;
-	long const mexp=0x7ff00000;
-        int i,j,r,e,swapINX(),swapRM(),swapENI();
-        unsigned long *py=(unsigned long *) &y   ,
-                      *pt=(unsigned long *) &t   ,
-                      *px=(unsigned long *) &x   ;
-#ifdef national         /* ordering of word in a floating point number */
-        const int n0=1, n1=0;
-#else
-        const int n0=0, n1=1;
-#endif
-/* Rounding Mode:  RN ...round-to-nearest
- *                 RZ ...round-towards 0
- *                 RP ...round-towards +INF
- *		   RM ...round-towards -INF
- */
-        const int RN=0,RZ=1,RP=2,RM=3;
-				/* machine dependent: work on a Zilog Z8070
-                                 * and a National 32081 & 16081
-                                 */
-
-/* exceptions */
-	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
-        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
-
-/* save, reset, initialize */
-        e=swapENI(0);   /* ...save and reset the inexact enable */
-        i=swapINX(0);   /* ...save INEXACT flag */
-        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
-        scalx=0;
-
-/* subnormal number, scale up x to x*2**54 */
-        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
-
-/* scale x to avoid intermediate over/underflow:
- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
-        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
-        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
-
-/* magic initial approximation to almost 8 sig. bits */
-        py[n0]=(px[n0]>>1)+0x1ff80000;
-        py[n0]=py[n0]-table[(py[n0]>>15)&31];
-
-/* Heron's rule once with correction to improve y to almost 18 sig. bits */
-        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
-
-/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
-        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
-        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
-
-/* twiddle last bit to force y correctly rounded */
-        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
-        swapINX(0);     /* ...clear INEXACT flag */
-        swapENI(e);     /* ...restore inexact enable status */
-        t=x/y;          /* ...chopped quotient, possibly inexact */
-        j=swapINX(i);   /* ...read and restore inexact flag */
-        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
-        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
-        if(r==RN) t=addc(t);            /* ...t=t+ulp */
-        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
-        y=y+t;                          /* ...chopped sum */
-        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
-end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
-        swapRM(r);                      /* ...restore Rounding Mode */
-        return(y);
-}
-#endif

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1e5d1e38b6a866f88772d34ec2d1b3a75d78b233

commit 1e5d1e38b6a866f88772d34ec2d1b3a75d78b233
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 31 01:03:52 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=274d255020884189382b12ecd37cdf8707241352

commit 274d255020884189382b12ecd37cdf8707241352
Merge: e33468d 4a1b658
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 23:13:57 2013 -0300

    delete


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e33468dfde1f9cbf5d349d2b7524dae24ab7571a

commit e33468dfde1f9cbf5d349d2b7524dae24ab7571a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 23:13:57 2013 -0300

    delete

diff --git a/meta b/meta
index 001de77..9792083 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 80e0455b67075e630585206b0ea1552b7a1cd357
-Head: d718831b3f61b35bf4c5294b9f3dacecf9129241
+Previous: 4a1b658a629243592ceb4f42b4903286e96fbd9f
+Head: e9145a48fc85e7f29a8589f4c8185647d0907e34
 Applied:
   unused-scalb-is-scalbn.patch: 601f2444208808e1d17c679fa7a119ccb9db4254
   remove-sysdeps-ieee754-support.patch: 34abea62b6ff2865a7f75c0d5186018b3a82899d
@@ -29,6 +29,5 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: 31e58276bacf72345d2bf27b274bcd254f615a4b
   wip-manual-document-mt-safety-time.patch: 95da1194f415a13a61ce12c7439d411d990dc92e
   wip-manual-document-mt-safety-locale.patch: e9145a48fc85e7f29a8589f4c8185647d0907e34
-  findlocale-re-search-alias-in-archive-bz971416-bz928729.patch: d718831b3f61b35bf4c5294b9f3dacecf9129241
 Unapplied:
 Hidden:
diff --git a/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch b/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
deleted file mode 100644
index 986e278..0000000
--- a/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Bottom: 8302a915c7103c415d81e3db9b4e0b9db02bb42b
-Top:    75c468eb7e225d96ebe0204714f96b4451f3fd0a
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-30 05:59:33 -0300
-
-for  ChangeLog
-
-	* locale/findlocale.c (_nl_find_locale): Retry archive search
-        after alias expansion.
-
-
----
-
-diff --git a/locale/findlocale.c b/locale/findlocale.c
-index 3c04aa8..845e260 100644
---- a/locale/findlocale.c
-+++ b/locale/findlocale.c
-@@ -108,15 +108,26 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
-       if (__builtin_expect (data != NULL, 1))
- 	return data;
- 
-+      /* Nothing in the archive with the given name.  Expanding it as
-+	 an alias and retry.  */
-+      loc_name = (char *) _nl_expand_alias (*name);
-+      if (loc_name != NULL)
-+	{
-+	  data = _nl_load_locale_from_archive (category, &loc_name);
-+	  if (__builtin_expect (data != NULL, 1))
-+	    return data;
-+	}
-+
-       /* Nothing in the archive.  Set the default path to search below.  */
-       locale_path = _nl_default_locale_path;
-       locale_path_len = sizeof _nl_default_locale_path;
-     }
-+  else
-+    /* We really have to load some data.  First see whether the name is
-+       an alias.  Please note that this makes it impossible to have "C"
-+       or "POSIX" as aliases.  */
-+    loc_name = (char *) _nl_expand_alias (*name);
- 
--  /* We really have to load some data.  First see whether the name is
--     an alias.  Please note that this makes it impossible to have "C"
--     or "POSIX" as aliases.  */
--  loc_name = (char *) _nl_expand_alias (*name);
-   if (loc_name == NULL)
-     /* It is no alias.  */
-     loc_name = (char *) *name;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4a1b658a629243592ceb4f42b4903286e96fbd9f

commit 4a1b658a629243592ceb4f42b4903286e96fbd9f
Merge: 41e7048 d718831 80e0455
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 06:32:06 2013 -0300

    edit


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=41e704870eeb1585ee160a3662c080e6b31097a6

commit 41e704870eeb1585ee160a3662c080e6b31097a6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 06:32:05 2013 -0300

    edit

diff --git a/meta b/meta
index 3724b06..001de77 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: a69aa964ee9c141d2ba641e386f41ece69949757
-Head: 48e7f0dbb3219c6e9deeec4cea6a51c1991aa9b9
+Previous: 80e0455b67075e630585206b0ea1552b7a1cd357
+Head: d718831b3f61b35bf4c5294b9f3dacecf9129241
 Applied:
   unused-scalb-is-scalbn.patch: 601f2444208808e1d17c679fa7a119ccb9db4254
   remove-sysdeps-ieee754-support.patch: 34abea62b6ff2865a7f75c0d5186018b3a82899d
@@ -29,6 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: 31e58276bacf72345d2bf27b274bcd254f615a4b
   wip-manual-document-mt-safety-time.patch: 95da1194f415a13a61ce12c7439d411d990dc92e
   wip-manual-document-mt-safety-locale.patch: e9145a48fc85e7f29a8589f4c8185647d0907e34
-  findlocale-re-search-alias-in-archive-bz971416-bz928729.patch: 48e7f0dbb3219c6e9deeec4cea6a51c1991aa9b9
+  findlocale-re-search-alias-in-archive-bz971416-bz928729.patch: d718831b3f61b35bf4c5294b9f3dacecf9129241
 Unapplied:
 Hidden:
diff --git a/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch b/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
index 6af5b0e..986e278 100644
--- a/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
+++ b/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
@@ -3,6 +3,10 @@ Top:    75c468eb7e225d96ebe0204714f96b4451f3fd0a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-30 05:59:33 -0300
 
+for  ChangeLog
+
+	* locale/findlocale.c (_nl_find_locale): Retry archive search
+        after alias expansion.
 
 
 ---

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=80e0455b67075e630585206b0ea1552b7a1cd357

commit 80e0455b67075e630585206b0ea1552b7a1cd357
Merge: 2d3673a 48e7f0d a69aa96
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 06:28:09 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2d3673a48417b9d1eeb530b30ae919acd30333fe

commit 2d3673a48417b9d1eeb530b30ae919acd30333fe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 06:28:09 2013 -0300

    refresh

diff --git a/meta b/meta
index 9af3130..3724b06 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 23a49bbd1b4d603ce593518a42222134c86f5b1f
-Head: 95f57b0f6653d3b139058271efecc59d17a651ad
+Previous: a69aa964ee9c141d2ba641e386f41ece69949757
+Head: 48e7f0dbb3219c6e9deeec4cea6a51c1991aa9b9
 Applied:
   unused-scalb-is-scalbn.patch: 601f2444208808e1d17c679fa7a119ccb9db4254
   remove-sysdeps-ieee754-support.patch: 34abea62b6ff2865a7f75c0d5186018b3a82899d
@@ -29,7 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: 31e58276bacf72345d2bf27b274bcd254f615a4b
   wip-manual-document-mt-safety-time.patch: 95da1194f415a13a61ce12c7439d411d990dc92e
   wip-manual-document-mt-safety-locale.patch: e9145a48fc85e7f29a8589f4c8185647d0907e34
-  findlocale-re-search-alias-in-archive-bz971416-bz928729.patch: a4e7e35ce50fa9d42b9da7445b6801548993b8a6
-  refresh-temp: 95f57b0f6653d3b139058271efecc59d17a651ad
+  findlocale-re-search-alias-in-archive-bz971416-bz928729.patch: 48e7f0dbb3219c6e9deeec4cea6a51c1991aa9b9
 Unapplied:
 Hidden:
diff --git a/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch b/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
index 1cb140d..6af5b0e 100644
--- a/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
+++ b/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
@@ -1,5 +1,5 @@
 Bottom: 8302a915c7103c415d81e3db9b4e0b9db02bb42b
-Top:    8302a915c7103c415d81e3db9b4e0b9db02bb42b
+Top:    75c468eb7e225d96ebe0204714f96b4451f3fd0a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-30 05:59:33 -0300
 
@@ -7,4 +7,38 @@ Date:   2013-08-30 05:59:33 -0300
 
 ---
 
-
+diff --git a/locale/findlocale.c b/locale/findlocale.c
+index 3c04aa8..845e260 100644
+--- a/locale/findlocale.c
++++ b/locale/findlocale.c
+@@ -108,15 +108,26 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
+       if (__builtin_expect (data != NULL, 1))
+ 	return data;
+ 
++      /* Nothing in the archive with the given name.  Expanding it as
++	 an alias and retry.  */
++      loc_name = (char *) _nl_expand_alias (*name);
++      if (loc_name != NULL)
++	{
++	  data = _nl_load_locale_from_archive (category, &loc_name);
++	  if (__builtin_expect (data != NULL, 1))
++	    return data;
++	}
++
+       /* Nothing in the archive.  Set the default path to search below.  */
+       locale_path = _nl_default_locale_path;
+       locale_path_len = sizeof _nl_default_locale_path;
+     }
++  else
++    /* We really have to load some data.  First see whether the name is
++       an alias.  Please note that this makes it impossible to have "C"
++       or "POSIX" as aliases.  */
++    loc_name = (char *) _nl_expand_alias (*name);
+ 
+-  /* We really have to load some data.  First see whether the name is
+-     an alias.  Please note that this makes it impossible to have "C"
+-     or "POSIX" as aliases.  */
+-  loc_name = (char *) _nl_expand_alias (*name);
+   if (loc_name == NULL)
+     /* It is no alias.  */
+     loc_name = (char *) *name;
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index d7b80e6..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,44 +0,0 @@
-Bottom: 8302a915c7103c415d81e3db9b4e0b9db02bb42b
-Top:    75c468eb7e225d96ebe0204714f96b4451f3fd0a
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-30 06:28:08 -0300
-
-Refresh of findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
-
----
-
-diff --git a/locale/findlocale.c b/locale/findlocale.c
-index 3c04aa8..845e260 100644
---- a/locale/findlocale.c
-+++ b/locale/findlocale.c
-@@ -108,15 +108,26 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
-       if (__builtin_expect (data != NULL, 1))
- 	return data;
- 
-+      /* Nothing in the archive with the given name.  Expanding it as
-+	 an alias and retry.  */
-+      loc_name = (char *) _nl_expand_alias (*name);
-+      if (loc_name != NULL)
-+	{
-+	  data = _nl_load_locale_from_archive (category, &loc_name);
-+	  if (__builtin_expect (data != NULL, 1))
-+	    return data;
-+	}
-+
-       /* Nothing in the archive.  Set the default path to search below.  */
-       locale_path = _nl_default_locale_path;
-       locale_path_len = sizeof _nl_default_locale_path;
-     }
-+  else
-+    /* We really have to load some data.  First see whether the name is
-+       an alias.  Please note that this makes it impossible to have "C"
-+       or "POSIX" as aliases.  */
-+    loc_name = (char *) _nl_expand_alias (*name);
- 
--  /* We really have to load some data.  First see whether the name is
--     an alias.  Please note that this makes it impossible to have "C"
--     or "POSIX" as aliases.  */
--  loc_name = (char *) _nl_expand_alias (*name);
-   if (loc_name == NULL)
-     /* It is no alias.  */
-     loc_name = (char *) *name;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a69aa964ee9c141d2ba641e386f41ece69949757

commit a69aa964ee9c141d2ba641e386f41ece69949757
Merge: ea79bcf 23a49bb 95f57b0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 06:28:09 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ea79bcfcfa0047f8dff7e142765075f606f45825

commit ea79bcfcfa0047f8dff7e142765075f606f45825
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 06:28:09 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 3e6cb95..9af3130 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 26fd40554d5b72c9a2d885d795381d2bab28ee9f
-Head: a4e7e35ce50fa9d42b9da7445b6801548993b8a6
+Previous: 23a49bbd1b4d603ce593518a42222134c86f5b1f
+Head: 95f57b0f6653d3b139058271efecc59d17a651ad
 Applied:
   unused-scalb-is-scalbn.patch: 601f2444208808e1d17c679fa7a119ccb9db4254
   remove-sysdeps-ieee754-support.patch: 34abea62b6ff2865a7f75c0d5186018b3a82899d
@@ -30,5 +30,6 @@ Applied:
   wip-manual-document-mt-safety-time.patch: 95da1194f415a13a61ce12c7439d411d990dc92e
   wip-manual-document-mt-safety-locale.patch: e9145a48fc85e7f29a8589f4c8185647d0907e34
   findlocale-re-search-alias-in-archive-bz971416-bz928729.patch: a4e7e35ce50fa9d42b9da7445b6801548993b8a6
+  refresh-temp: 95f57b0f6653d3b139058271efecc59d17a651ad
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..d7b80e6
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,44 @@
+Bottom: 8302a915c7103c415d81e3db9b4e0b9db02bb42b
+Top:    75c468eb7e225d96ebe0204714f96b4451f3fd0a
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-30 06:28:08 -0300
+
+Refresh of findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
+
+---
+
+diff --git a/locale/findlocale.c b/locale/findlocale.c
+index 3c04aa8..845e260 100644
+--- a/locale/findlocale.c
++++ b/locale/findlocale.c
+@@ -108,15 +108,26 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
+       if (__builtin_expect (data != NULL, 1))
+ 	return data;
+ 
++      /* Nothing in the archive with the given name.  Expanding it as
++	 an alias and retry.  */
++      loc_name = (char *) _nl_expand_alias (*name);
++      if (loc_name != NULL)
++	{
++	  data = _nl_load_locale_from_archive (category, &loc_name);
++	  if (__builtin_expect (data != NULL, 1))
++	    return data;
++	}
++
+       /* Nothing in the archive.  Set the default path to search below.  */
+       locale_path = _nl_default_locale_path;
+       locale_path_len = sizeof _nl_default_locale_path;
+     }
++  else
++    /* We really have to load some data.  First see whether the name is
++       an alias.  Please note that this makes it impossible to have "C"
++       or "POSIX" as aliases.  */
++    loc_name = (char *) _nl_expand_alias (*name);
+ 
+-  /* We really have to load some data.  First see whether the name is
+-     an alias.  Please note that this makes it impossible to have "C"
+-     or "POSIX" as aliases.  */
+-  loc_name = (char *) _nl_expand_alias (*name);
+   if (loc_name == NULL)
+     /* It is no alias.  */
+     loc_name = (char *) *name;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=95f57b0f6653d3b139058271efecc59d17a651ad

commit 95f57b0f6653d3b139058271efecc59d17a651ad
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 06:28:08 2013 -0300

    Refresh of findlocale-re-search-alias-in-archive-bz971416-bz928729.patch

diff --git a/locale/findlocale.c b/locale/findlocale.c
index 3c04aa8..845e260 100644
--- a/locale/findlocale.c
+++ b/locale/findlocale.c
@@ -108,15 +108,26 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
       if (__builtin_expect (data != NULL, 1))
 	return data;
 
+      /* Nothing in the archive with the given name.  Expanding it as
+	 an alias and retry.  */
+      loc_name = (char *) _nl_expand_alias (*name);
+      if (loc_name != NULL)
+	{
+	  data = _nl_load_locale_from_archive (category, &loc_name);
+	  if (__builtin_expect (data != NULL, 1))
+	    return data;
+	}
+
       /* Nothing in the archive.  Set the default path to search below.  */
       locale_path = _nl_default_locale_path;
       locale_path_len = sizeof _nl_default_locale_path;
     }
+  else
+    /* We really have to load some data.  First see whether the name is
+       an alias.  Please note that this makes it impossible to have "C"
+       or "POSIX" as aliases.  */
+    loc_name = (char *) _nl_expand_alias (*name);
 
-  /* We really have to load some data.  First see whether the name is
-     an alias.  Please note that this makes it impossible to have "C"
-     or "POSIX" as aliases.  */
-  loc_name = (char *) _nl_expand_alias (*name);
   if (loc_name == NULL)
     /* It is no alias.  */
     loc_name = (char *) *name;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d718831b3f61b35bf4c5294b9f3dacecf9129241

commit d718831b3f61b35bf4c5294b9f3dacecf9129241
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 05:59:33 2013 -0300

    for  ChangeLog
    
    	* locale/findlocale.c (_nl_find_locale): Retry archive search
            after alias expansion.

diff --git a/locale/findlocale.c b/locale/findlocale.c
index 3c04aa8..845e260 100644
--- a/locale/findlocale.c
+++ b/locale/findlocale.c
@@ -108,15 +108,26 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
       if (__builtin_expect (data != NULL, 1))
 	return data;
 
+      /* Nothing in the archive with the given name.  Expanding it as
+	 an alias and retry.  */
+      loc_name = (char *) _nl_expand_alias (*name);
+      if (loc_name != NULL)
+	{
+	  data = _nl_load_locale_from_archive (category, &loc_name);
+	  if (__builtin_expect (data != NULL, 1))
+	    return data;
+	}
+
       /* Nothing in the archive.  Set the default path to search below.  */
       locale_path = _nl_default_locale_path;
       locale_path_len = sizeof _nl_default_locale_path;
     }
+  else
+    /* We really have to load some data.  First see whether the name is
+       an alias.  Please note that this makes it impossible to have "C"
+       or "POSIX" as aliases.  */
+    loc_name = (char *) _nl_expand_alias (*name);
 
-  /* We really have to load some data.  First see whether the name is
-     an alias.  Please note that this makes it impossible to have "C"
-     or "POSIX" as aliases.  */
-  loc_name = (char *) _nl_expand_alias (*name);
   if (loc_name == NULL)
     /* It is no alias.  */
     loc_name = (char *) *name;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=48e7f0dbb3219c6e9deeec4cea6a51c1991aa9b9

commit 48e7f0dbb3219c6e9deeec4cea6a51c1991aa9b9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 05:59:33 2013 -0300

diff --git a/locale/findlocale.c b/locale/findlocale.c
index 3c04aa8..845e260 100644
--- a/locale/findlocale.c
+++ b/locale/findlocale.c
@@ -108,15 +108,26 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
       if (__builtin_expect (data != NULL, 1))
 	return data;
 
+      /* Nothing in the archive with the given name.  Expanding it as
+	 an alias and retry.  */
+      loc_name = (char *) _nl_expand_alias (*name);
+      if (loc_name != NULL)
+	{
+	  data = _nl_load_locale_from_archive (category, &loc_name);
+	  if (__builtin_expect (data != NULL, 1))
+	    return data;
+	}
+
       /* Nothing in the archive.  Set the default path to search below.  */
       locale_path = _nl_default_locale_path;
       locale_path_len = sizeof _nl_default_locale_path;
     }
+  else
+    /* We really have to load some data.  First see whether the name is
+       an alias.  Please note that this makes it impossible to have "C"
+       or "POSIX" as aliases.  */
+    loc_name = (char *) _nl_expand_alias (*name);
 
-  /* We really have to load some data.  First see whether the name is
-     an alias.  Please note that this makes it impossible to have "C"
-     or "POSIX" as aliases.  */
-  loc_name = (char *) _nl_expand_alias (*name);
   if (loc_name == NULL)
     /* It is no alias.  */
     loc_name = (char *) *name;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=23a49bbd1b4d603ce593518a42222134c86f5b1f

commit 23a49bbd1b4d603ce593518a42222134c86f5b1f
Merge: f9f3928 26fd405 a4e7e35
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 05:59:33 2013 -0300

    new


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f9f3928eed980d33c34b63c72d43ecd24115392a

commit f9f3928eed980d33c34b63c72d43ecd24115392a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 05:59:33 2013 -0300

    new

diff --git a/meta b/meta
index b2ac64b..3e6cb95 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: f629830e477da31c658efce637dcd5bf11b00ed8
-Head: e9145a48fc85e7f29a8589f4c8185647d0907e34
+Previous: 26fd40554d5b72c9a2d885d795381d2bab28ee9f
+Head: a4e7e35ce50fa9d42b9da7445b6801548993b8a6
 Applied:
   unused-scalb-is-scalbn.patch: 601f2444208808e1d17c679fa7a119ccb9db4254
   remove-sysdeps-ieee754-support.patch: 34abea62b6ff2865a7f75c0d5186018b3a82899d
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: 31e58276bacf72345d2bf27b274bcd254f615a4b
   wip-manual-document-mt-safety-time.patch: 95da1194f415a13a61ce12c7439d411d990dc92e
   wip-manual-document-mt-safety-locale.patch: e9145a48fc85e7f29a8589f4c8185647d0907e34
+  findlocale-re-search-alias-in-archive-bz971416-bz928729.patch: a4e7e35ce50fa9d42b9da7445b6801548993b8a6
 Unapplied:
 Hidden:
diff --git a/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch b/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
new file mode 100644
index 0000000..1cb140d
--- /dev/null
+++ b/patches/findlocale-re-search-alias-in-archive-bz971416-bz928729.patch
@@ -0,0 +1,10 @@
+Bottom: 8302a915c7103c415d81e3db9b4e0b9db02bb42b
+Top:    8302a915c7103c415d81e3db9b4e0b9db02bb42b
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-30 05:59:33 -0300
+
+
+
+---
+
+

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a4e7e35ce50fa9d42b9da7445b6801548993b8a6

commit a4e7e35ce50fa9d42b9da7445b6801548993b8a6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 30 05:59:33 2013 -0300

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=26fd40554d5b72c9a2d885d795381d2bab28ee9f

commit 26fd40554d5b72c9a2d885d795381d2bab28ee9f
Merge: 88a0a6d e9145a4 f629830
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:13:08 2013 -0300

    pull


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=88a0a6d160bee6798b8d7102daa93fbedf481b79

commit 88a0a6d160bee6798b8d7102daa93fbedf481b79
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:13:08 2013 -0300

    pull

diff --git a/meta b/meta
index fa4c5d2..b2ac64b 100644
--- a/meta
+++ b/meta
@@ -1,33 +1,33 @@
 Version: 1
-Previous: af9711c5b7808f21ee60eb46c8048c3d054f0c31
-Head: 2e649ae373826f51a9c30dff4a9f0d3366c7a4b3
+Previous: f629830e477da31c658efce637dcd5bf11b00ed8
+Head: e9145a48fc85e7f29a8589f4c8185647d0907e34
 Applied:
-  unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
-  remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
-  manual-document-mt-safety.patch: 4e51ca6a99c605099f12a779df0d47cceeb4ae4f
-  manual-document-mt-safety-argp.patch: aaf60aa78ffc0da9405c007a36e9b5ad89f4d7e0
-  manual-document-mt-safety-arith.patch: f5408aef8fd0f838855b341cf29d4b3b0761ceae
-  manual-document-mt-safety-charset.patch: acec40190ccb799a124103745f39b272f5c5afa2
-  manual-document-mt-safety-conf.patch: 3f8919133306d121a29dea94df850074c59c9327
-  manual-document-mt-safety-crypt.patch: d10d9de8dc6b4909fc2ffaca9df6c08f497fe430
-  manual-document-mt-safety-ctype.patch: fe95a108afa92a848495f13bf1be98adf8eb7539
-  manual-document-mt-safety-debug.patch: 4e7d13cc87a994e6738371f001e34d4304db738f
-  manual-document-mt-safety-errno.patch: ed15acd8f144cf7fab2cb273f29a678af72fee1d
-  manual-document-mt-safety-filesys.patch: 841af416cc09ad9a10c030373274b83b7bf0e9f8
-  manual-document-mt-safety-getopt.patch: 8643cf752f8e508001e1faf25a3a50b940f5fcac
-  manual-document-mt-safety-libdl.patch: d7b8694a2eee5f336076db4c86e31d0a3e8a5884
-  manual-document-mt-safety-job.patch: dc5cc158e96987de0e4069e83b8553ae1d968df3
-  manual-document-mt-safety-lang.patch: 8d1637219ed7cc2f3bb4819d7a586659f1da3e50
-  manual-document-mt-safety-llio.patch: 114949fad3069f3c51d1cd9901a799988e8377b7
-  manual-document-mt-safety-stdio.patch: 5da6c6fb3d7087914a9d5b07d2c138b48d07891d
-  wip-manual-document-mt-safety-math.patch: 9465760239804be9c83371f416900c5d2b77c585
-  wip-manual-document-mt-safety-resource.patch: c071176c59f53ce8f1dfe15b851b99e7818cead1
-  wip-manual-document-mt-safety-startup.patch: 39bee707673a40f9f7ad816a32cb2b80767d24f5
-  wip-manual-document-mt-safety-search.patch: 7e937af701f2fa859ae881c59ced25cc3182ef1b
-  wip-manual-document-mt-safety-string.patch: 6c188d6d1877e318d247a68b863d6f25c5f62965
-  wip-manual-document-mt-safety-terminal.patch: d4b7d87f6ac0c1c4f537289efc7877c4d5bbae93
-  wip-manual-document-mt-safety-threads.patch: 3c71f75c7c0c64263bc679cc89fbfbcea8753653
-  wip-manual-document-mt-safety-time.patch: 0b3afb70e5ee7968cd9653bfa592f05bb5f4798d
-  wip-manual-document-mt-safety-locale.patch: 2e649ae373826f51a9c30dff4a9f0d3366c7a4b3
+  unused-scalb-is-scalbn.patch: 601f2444208808e1d17c679fa7a119ccb9db4254
+  remove-sysdeps-ieee754-support.patch: 34abea62b6ff2865a7f75c0d5186018b3a82899d
+  manual-document-mt-safety.patch: 400cde6651833f07505f9d1b935539ecac53f006
+  manual-document-mt-safety-argp.patch: e7b55795888c074364e9070adc34af37c58b1b70
+  manual-document-mt-safety-arith.patch: 6d1424edfa9fc55d9ae9188866fc4d07ca999ebb
+  manual-document-mt-safety-charset.patch: 57efa1b33f9b1d513d9f5af800c821485ad43bea
+  manual-document-mt-safety-conf.patch: 95d536639518ae7a6e106105e40e759ebaac1e85
+  manual-document-mt-safety-crypt.patch: bfd41b844cd2a718215b48d96bcfb88a593a3b58
+  manual-document-mt-safety-ctype.patch: bc57e1374fa217ebb08b3dc75c515873e34a230f
+  manual-document-mt-safety-debug.patch: 69023efa78bdaca363b5de32f56adea8ce05e13b
+  manual-document-mt-safety-errno.patch: 14586b49baa8cc3f7130be193d847967e9ce16d8
+  manual-document-mt-safety-filesys.patch: 455ec866c88f22881882323df735a2bdd7a2e5c8
+  manual-document-mt-safety-getopt.patch: 0b99c70c2cfa83e1c2f06765613650f7d0baa3cd
+  manual-document-mt-safety-libdl.patch: 756f4b7231c09a2f3330bfe8cef81cb9affbf4a4
+  manual-document-mt-safety-job.patch: 82c921e0fe0e03260273e0c3b9c534cb9ddc83ea
+  manual-document-mt-safety-lang.patch: 594da3770c027a01968fcfd3e459fc13bbdbf047
+  manual-document-mt-safety-llio.patch: 7fa5c0efde5f43928620b11438856b9174d41391
+  manual-document-mt-safety-stdio.patch: e8eca86a677a80f62b5bb0a17597cddf0a3cd9d5
+  wip-manual-document-mt-safety-math.patch: 305b77447b06df4c81a48a7f7dc0956ef8fe25e5
+  wip-manual-document-mt-safety-resource.patch: 944dd9eb606418530cc96cbaca0aaeb6ec89d590
+  wip-manual-document-mt-safety-startup.patch: 2df7a11143b0aec001575ef211e69f2fa271c61d
+  wip-manual-document-mt-safety-search.patch: 166b7eedb8e53f936ef842f708c68b2ac2394a76
+  wip-manual-document-mt-safety-string.patch: 13b20f6390fe51eabd827a7d4833df7c9b32f962
+  wip-manual-document-mt-safety-terminal.patch: 134a32db5ba4664731ebc1c2c15aaad32da69e07
+  wip-manual-document-mt-safety-threads.patch: 31e58276bacf72345d2bf27b274bcd254f615a4b
+  wip-manual-document-mt-safety-time.patch: 95da1194f415a13a61ce12c7439d411d990dc92e
+  wip-manual-document-mt-safety-locale.patch: e9145a48fc85e7f29a8589f4c8185647d0907e34
 Unapplied:
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 7d26e1b..80f0acf 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,7 +1,7 @@
-Bottom: bc51276153dccb4e0691cf1f0eb3c565579e39f7
-Top:    7c1f972f26f2cc5f1a309d366b4289bcd807d025
+Bottom: 52f86982187c30275067463fb7a6064b54969139
+Top:    9592a99187853c02f7033b271de199e85012a53a
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:04 -0300
+Date:   2013-08-29 04:12:39 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 6295886..862a159 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,7 +1,7 @@
-Bottom: 7c1f972f26f2cc5f1a309d366b4289bcd807d025
-Top:    9c86370cb53d549c50d2c79be3379b37f1330469
+Bottom: 9592a99187853c02f7033b271de199e85012a53a
+Top:    a46ac9b1deecd51710762b73ec64e2bb52a9d84b
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:05 -0300
+Date:   2013-08-29 04:12:39 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index 3ef2fdb..99f9422 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,7 +1,7 @@
-Bottom: 9c86370cb53d549c50d2c79be3379b37f1330469
-Top:    d24392f659023698231462cdff3a7cd2c718b328
+Bottom: a46ac9b1deecd51710762b73ec64e2bb52a9d84b
+Top:    bd7cc55350cfbbd116f5a730a8bef8f534c74b53
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:05 -0300
+Date:   2013-08-29 04:12:40 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index 4cb62ce..a3e730f 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,7 +1,7 @@
-Bottom: d24392f659023698231462cdff3a7cd2c718b328
-Top:    a8f636ec2c63e1659cb6bb784fc1da03dea18213
+Bottom: bd7cc55350cfbbd116f5a730a8bef8f534c74b53
+Top:    cb52d0ad721c1624720477c9407cdb3fef52b742
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:05 -0300
+Date:   2013-08-29 04:12:40 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index 11d0154..1c47eff 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,7 +1,7 @@
-Bottom: a8f636ec2c63e1659cb6bb784fc1da03dea18213
-Top:    e56878e0c3824c71e49300c70bc897ef4c95eba9
+Bottom: cb52d0ad721c1624720477c9407cdb3fef52b742
+Top:    cdcfad758945d3cea0d9f124bc38710c8fb23496
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:05 -0300
+Date:   2013-08-29 04:12:41 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index 1c15c78..e4c63c3 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,7 +1,7 @@
-Bottom: e56878e0c3824c71e49300c70bc897ef4c95eba9
-Top:    5e33d66bee65faf09bea523f63284bba8bfc037b
+Bottom: cdcfad758945d3cea0d9f124bc38710c8fb23496
+Top:    e77fd4ac0a9784c71ac174e7dee32d3e2aa16184
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:05 -0300
+Date:   2013-08-29 04:12:41 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index 3a82b5b..c6bc8da 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,7 +1,7 @@
-Bottom: 5e33d66bee65faf09bea523f63284bba8bfc037b
-Top:    f72a7e64af28a199527df245fb9aa731d99c95c4
+Bottom: e77fd4ac0a9784c71ac174e7dee32d3e2aa16184
+Top:    b33d6f51141d8f2f5e6b95c5eb48b46237ca4af9
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:06 -0300
+Date:   2013-08-29 04:12:42 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index d9b8fda..072f554 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,7 +1,7 @@
-Bottom: f72a7e64af28a199527df245fb9aa731d99c95c4
-Top:    049700a49dafb85830a3b5d7f204ab655fb1062a
+Bottom: b33d6f51141d8f2f5e6b95c5eb48b46237ca4af9
+Top:    0d10a649c4473d9a6fb609ec81fa26e8a629d061
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:06 -0300
+Date:   2013-08-29 04:12:43 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 98130d6..aef66bc 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,7 +1,7 @@
-Bottom: 049700a49dafb85830a3b5d7f204ab655fb1062a
-Top:    830ce3133ca2adb5e7292565caf7cc33905af262
+Bottom: 0d10a649c4473d9a6fb609ec81fa26e8a629d061
+Top:    e36ec2efcbfbb0271060509e53c1c357a9688a7f
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:06 -0300
+Date:   2013-08-29 04:12:43 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index bdd420f..f2ba59a 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,7 +1,7 @@
-Bottom: 830ce3133ca2adb5e7292565caf7cc33905af262
-Top:    c46f27af7da7f04821d8d604cb1f6fdebe1af493
+Bottom: e36ec2efcbfbb0271060509e53c1c357a9688a7f
+Top:    070ad4074ca24a78565b334b04451ba020429abe
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:06 -0300
+Date:   2013-08-29 04:12:44 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index 6b585e7..85da9aa 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,7 +1,7 @@
-Bottom: 4de5887b6571c90da0520d05ea43f403a3fa34ec
-Top:    ba68695341ed62fde872ec262b801f8614334865
+Bottom: 9fe02cfc9a3804b9559a551581b75c028f9b91bd
+Top:    ccbfd7f0cfb967e1801d4cd3f0d65b69ea3f11a4
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:07 -0300
+Date:   2013-08-29 04:12:50 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 7af432c..3cd2f00 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,7 +1,7 @@
-Bottom: ba68695341ed62fde872ec262b801f8614334865
-Top:    b635b868ec5a8b50d788d6f60becf14146373aff
+Bottom: ccbfd7f0cfb967e1801d4cd3f0d65b69ea3f11a4
+Top:    f7f7a15f0c84bba8877a582df6dbd055187a041c
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:07 -0300
+Date:   2013-08-29 04:12:51 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 6a1a9c5..4affaf8 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,7 +1,7 @@
-Bottom: c46f27af7da7f04821d8d604cb1f6fdebe1af493
-Top:    4de5887b6571c90da0520d05ea43f403a3fa34ec
+Bottom: 070ad4074ca24a78565b334b04451ba020429abe
+Top:    9fe02cfc9a3804b9559a551581b75c028f9b91bd
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:07 -0300
+Date:   2013-08-29 04:12:49 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index c9f81fd..364aea5 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,7 +1,7 @@
-Bottom: b635b868ec5a8b50d788d6f60becf14146373aff
-Top:    3fbfb29a402aef2bc5a15640726741426eca8904
+Bottom: f7f7a15f0c84bba8877a582df6dbd055187a041c
+Top:    97e0541602be704b65a32187d99e52c3138d4d04
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:07 -0300
+Date:   2013-08-29 04:12:51 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index b3af1bf..e6d842e 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,7 +1,7 @@
-Bottom: 3fbfb29a402aef2bc5a15640726741426eca8904
-Top:    f75a142a5e1e8c6b49e3a8f622e8d0177f357f3d
+Bottom: 97e0541602be704b65a32187d99e52c3138d4d04
+Top:    71911a0d161093360cc979a0f75987e8706f33b6
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:08 -0300
+Date:   2013-08-29 04:12:52 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index 2c9c0e9..ff2b700 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,7 +1,7 @@
-Bottom: 39cf8b6977e5b0eb658a937d498281477afa6821
-Top:    bc51276153dccb4e0691cf1f0eb3c565579e39f7
+Bottom: 98aee56c2b6c46ef89db799efabe6ab30c9729a1
+Top:    52f86982187c30275067463fb7a6064b54969139
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:04 -0300
+Date:   2013-08-29 04:12:37 -0300
 
 Thread safety documentation.
 
diff --git a/patches/remove-sysdeps-ieee754-support.patch b/patches/remove-sysdeps-ieee754-support.patch
index 034bcd4..ce4346c 100644
--- a/patches/remove-sysdeps-ieee754-support.patch
+++ b/patches/remove-sysdeps-ieee754-support.patch
@@ -1,7 +1,7 @@
-Bottom: d06b3f23c180fe174e52c5f9388baa61d6ac33cc
-Top:    39cf8b6977e5b0eb658a937d498281477afa6821
+Bottom: a37ea8d691d49aaa2e36925f64cadc88674f1b39
+Top:    98aee56c2b6c46ef89db799efabe6ab30c9729a1
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:04 -0300
+Date:   2013-08-29 04:12:36 -0300
 
 Remove unused sysdeps/ieee754/support.c.
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 29447c9..2bc2eea 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,7 +1,7 @@
-Bottom: 1049e70d3641bba6f9f04cf81836dfef2917e3b3
-Top:    d06b3f23c180fe174e52c5f9388baa61d6ac33cc
+Bottom: ca1315b0033f11c3f3d8879e9e0fb14d71dadf3b
+Top:    a37ea8d691d49aaa2e36925f64cadc88674f1b39
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:03 -0300
+Date:   2013-08-29 04:12:34 -0300
 
 Rename unused scalb to scalbn to match prototype.
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 6347b49..cae2acb 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,7 +1,7 @@
-Bottom: 433caedec169e879059fe6a497b2a6f420d94334
-Top:    e5495b72159bea83c172508270804cf16b3f60ec
+Bottom: f528b7b2631aa970b7a9c2868269f120e51ddf6f
+Top:    8302a915c7103c415d81e3db9b4e0b9db02bb42b
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:08 -0300
+Date:   2013-08-29 04:13:05 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index f9a8ef8..77b2631 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,7 +1,7 @@
-Bottom: f75a142a5e1e8c6b49e3a8f622e8d0177f357f3d
-Top:    74197c280c2327b55e496226262a0ce471390321
+Bottom: 71911a0d161093360cc979a0f75987e8706f33b6
+Top:    48f3dc76c3e3461d4a79137423312ee9d4a99ee0
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:08 -0300
+Date:   2013-08-29 04:12:52 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 7737e49..ee57db1 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,7 +1,7 @@
-Bottom: 74197c280c2327b55e496226262a0ce471390321
-Top:    03e8cc5f3903301a0af65e6ddd0359e1c48cd0b1
+Bottom: 48f3dc76c3e3461d4a79137423312ee9d4a99ee0
+Top:    fe2388feda441b099b6db701fab60199b9a385f0
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:09 -0300
+Date:   2013-08-29 04:12:53 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 75b2d6f..a4722b4 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,7 +1,7 @@
-Bottom: 50350adeaabebba128c4819026b005be23b60024
-Top:    2827bf77a32cb7dea2034fa4d12eeb52db8491a8
+Bottom: 54f51cc24c8038bf966957936a78214bb4001b07
+Top:    aa3dbf5537f25ecc771448e84d89b4535b1c6f70
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:09 -0300
+Date:   2013-08-29 04:12:54 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 86ed331..7f82f0a 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,7 +1,7 @@
-Bottom: 03e8cc5f3903301a0af65e6ddd0359e1c48cd0b1
-Top:    50350adeaabebba128c4819026b005be23b60024
+Bottom: fe2388feda441b099b6db701fab60199b9a385f0
+Top:    54f51cc24c8038bf966957936a78214bb4001b07
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:08 -0300
+Date:   2013-08-29 04:12:53 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 37bf7dd..f8b1f7d 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,7 +1,7 @@
-Bottom: 2827bf77a32cb7dea2034fa4d12eeb52db8491a8
-Top:    94e8f6c89b1345b143d4d651785e301effcb97e4
+Bottom: aa3dbf5537f25ecc771448e84d89b4535b1c6f70
+Top:    df309a874addf70b8a7a1debf3b0de3512d70a58
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:09 -0300
+Date:   2013-08-29 04:12:54 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 02f1a3c..cf5d100 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,7 +1,7 @@
-Bottom: 94e8f6c89b1345b143d4d651785e301effcb97e4
-Top:    c48ef49e78eb0f0a0327fe9f89b47646609f316e
+Bottom: df309a874addf70b8a7a1debf3b0de3512d70a58
+Top:    113ab3d6e3ff6f9318e93ab05c0aca48dd213a9e
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:09 -0300
+Date:   2013-08-29 04:13:02 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 15d5d06..9aecb4a 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,7 +1,7 @@
-Bottom: c48ef49e78eb0f0a0327fe9f89b47646609f316e
-Top:    8d1dadaf72de52e6a5b1e028fed9aa52ba3b56c2
+Bottom: 113ab3d6e3ff6f9318e93ab05c0aca48dd213a9e
+Top:    004b08ebe327a6ae66f437a41c9ef84820f7f127
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:10 -0300
+Date:   2013-08-29 04:13:03 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 97d9998..0271f4f 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,7 +1,7 @@
-Bottom: 8d1dadaf72de52e6a5b1e028fed9aa52ba3b56c2
-Top:    433caedec169e879059fe6a497b2a6f420d94334
+Bottom: 004b08ebe327a6ae66f437a41c9ef84820f7f127
+Top:    f528b7b2631aa970b7a9c2868269f120e51ddf6f
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:10 -0300
+Date:   2013-08-29 04:13:04 -0300
 
 Thread safety documentation.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e9145a48fc85e7f29a8589f4c8185647d0907e34

commit e9145a48fc85e7f29a8589f4c8185647d0907e34
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:13:05 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..f07135e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=95da1194f415a13a61ce12c7439d411d990dc92e

commit 95da1194f415a13a61ce12c7439d411d990dc92e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:13:04 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=31e58276bacf72345d2bf27b274bcd254f615a4b

commit 31e58276bacf72345d2bf27b274bcd254f615a4b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:13:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=134a32db5ba4664731ebc1c2c15aaad32da69e07

commit 134a32db5ba4664731ebc1c2c15aaad32da69e07
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:13:02 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=13b20f6390fe51eabd827a7d4833df7c9b32f962

commit 13b20f6390fe51eabd827a7d4833df7c9b32f962
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:54 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..1408033 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1646,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2686,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=166b7eedb8e53f936ef842f708c68b2ac2394a76

commit 166b7eedb8e53f936ef842f708c68b2ac2394a76
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:54 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2df7a11143b0aec001575ef211e69f2fa271c61d

commit 2df7a11143b0aec001575ef211e69f2fa271c61d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=944dd9eb606418530cc96cbaca0aaeb6ec89d590

commit 944dd9eb606418530cc96cbaca0aaeb6ec89d590
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=305b77447b06df4c81a48a7f7dc0956ef8fe25e5

commit 305b77447b06df4c81a48a7f7dc0956ef8fe25e5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:52 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e8eca86a677a80f62b5bb0a17597cddf0a3cd9d5

commit e8eca86a677a80f62b5bb0a17597cddf0a3cd9d5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:52 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..5667af3 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,12 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Besides the usual possibility of getting an inconsistent stream in a
+@c signal handler or leaving it inconsistent in case of cancellation,
+@c the possibility of leaving a dangling pointer upon cancellation
+@c between reallocing the buffer at *lineptr and updating the pointer
+@c brings about another case of incansist.
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c See the getline incansist note.
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1347,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1371,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1397,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1407,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1417,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1508,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1546,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1605,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1621,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1631,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1641,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2383,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2393,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2403,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2411,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2419,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2444,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2469,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2540,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2573,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2644,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2653,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2662,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2711,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2719,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2727,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2735,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2743,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2751,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2827,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3068,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3320,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3384,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +4001,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4016,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4031,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4039,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4047,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4061,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4088,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4097,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4106,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4114,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4122,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4130,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4180,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4190,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4204,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4215,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4243,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4254,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4368,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4381,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4405,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4421,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4441,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4465,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4514,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4636,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4651,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4664,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4681,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4793,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4806,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4823,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4845,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4870,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4948,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4962,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4974,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4989,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +5003,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5014,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5062,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5118,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5234,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5416,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5557,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7fa5c0efde5f43928620b11438856b9174d41391

commit 7fa5c0efde5f43928620b11438856b9174d41391
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:51 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..c350585 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,6 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
@@ -1089,6 +1122,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1187,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1307,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1326,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1353,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1401,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1450,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1577,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1585,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1597,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1609,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1622,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1728,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1744,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1782,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1984,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2201,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2220,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2287,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2309,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2398,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2427,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2449,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2463,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2487,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2516,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2566,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2593,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2634,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2662,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2719,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2775,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2811,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2894,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2903,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3882,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3902,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=594da3770c027a01968fcfd3e459fc13bbdbf047

commit 594da3770c027a01968fcfd3e459fc13bbdbf047
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:51 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=82c921e0fe0e03260273e0c3b9c534cb9ddc83ea

commit 82c921e0fe0e03260273e0c3b9c534cb9ddc83ea
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..2c46771 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,6 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
@@ -1134,6 +1145,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1154,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1164,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1188,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1227,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1251,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1281,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1322,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=756f4b7231c09a2f3330bfe8cef81cb9affbf4a4

commit 756f4b7231c09a2f3330bfe8cef81cb9affbf4a4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:49 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0b99c70c2cfa83e1c2f06765613650f7d0baa3cd

commit 0b99c70c2cfa83e1c2f06765613650f7d0baa3cd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:44 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=455ec866c88f22881882323df735a2bdd7a2e5c8

commit 455ec866c88f22881882323df735a2bdd7a2e5c8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:43 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 814c210..c7eb13b 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the
 file.  This structure is associated with the @var{dirstream} handle
@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is a version of @code{readdir} which performs internal
 locking.  Like @code{readdir} it returns the next entry from the
 directory.  To prevent conflicts between simultaneously running
@@ -549,6 +591,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -630,6 +683,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -649,6 +706,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -679,6 +749,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -913,6 +993,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1223,6 +1320,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1282,6 +1380,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1323,6 +1423,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1404,6 +1507,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1908,6 +2020,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1942,6 +2056,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1969,6 +2091,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -2007,12 +2132,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -2020,6 +2147,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -2027,12 +2155,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2765,6 +2907,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2830,6 +2979,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2846,6 +2998,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3225,6 +3413,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat (there's a commented-out safety assessment for this one)
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=14586b49baa8cc3f7130be193d847967e9ce16d8

commit 14586b49baa8cc3f7130be193d847967e9ce16d8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:43 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=69023efa78bdaca363b5de32f56adea8ce05e13b

commit 69023efa78bdaca363b5de32f56adea8ce05e13b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:42 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bc57e1374fa217ebb08b3dc75c515873e34a230f

commit bc57e1374fa217ebb08b3dc75c515873e34a230f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bfd41b844cd2a718215b48d96bcfb88a593a3b58

commit bfd41b844cd2a718215b48d96bcfb88a593a3b58
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..a3c8fa5 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,6 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
@@ -127,6 +134,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +202,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +250,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +266,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +281,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +300,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +382,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +409,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=95d536639518ae7a6e106105e40e759ebaac1e85

commit 95d536639518ae7a6e106105e40e759ebaac1e85
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index c720063..79bfcdb 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1348,6 +1359,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1375,6 +1391,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1624,6 +1642,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=57efa1b33f9b1d513d9f5af800c821485ad43bea

commit 57efa1b33f9b1d513d9f5af800c821485ad43bea
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6d1424edfa9fc55d9ae9188866fc4d07ca999ebb

commit 6d1424edfa9fc55d9ae9188866fc4d07ca999ebb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..c0cd350 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e7b55795888c074364e9070adc34af37c58b1b70

commit e7b55795888c074364e9070adc34af37c58b1b70
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:39 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..22e7b9e 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=400cde6651833f07505f9d1b935539ecac53f006

commit 400cde6651833f07505f9d1b935539ecac53f006
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:37 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..c3142ad 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,434 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{oncesafe}
+@cindex oncesafe
+
+Functions marked with @code{oncesafe} use the internal @code{libc_once}
+machinery to initialize internal data structures.
+
+If a signal handler interrupts such an initializer, and calls any
+function that also performs @code{libc_once} initialization, it will
+deadlock if the thread library is linked in.
+
+Furthermore, if an initializer is partially complete before it is
+canceled or interrupted by a signal whose handler requires the same
+initialization, some or all of the initialization may be performed more
+than once, leaking resources or even result in corrupt internal data
+structures.
+
+Applications that need to call functions marked with @code{oncesafe}
+should ensure the initialization is performed before configuring signal
+handlers or enabling cancellation, so that the AS- and AC-Safety issues
+related with @code{libc_once} do not arise.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards that could guarantee consistency.  To
+ensure MT- and AS-Safe behavior, callers must ensure that the objects
+passed in are not modified concurrently by other threads or signal
+handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+properties we documented are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=34abea62b6ff2865a7f75c0d5186018b3a82899d

commit 34abea62b6ff2865a7f75c0d5186018b3a82899d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:36 2013 -0300

    Remove unused sysdeps/ieee754/support.c.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c: Remove.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
deleted file mode 100644
index 0bbd892..0000000
--- a/sysdeps/ieee754/support.c
+++ /dev/null
@@ -1,520 +0,0 @@
-/*
- * Copyright (c) 1985, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
-#endif /* not lint */
-
-/*
- * Some IEEE standard 754 recommended functions and remainder and sqrt for
- * supporting the C elementary functions.
- ******************************************************************************
- * WARNING:
- *      These codes are developed (in double) to support the C elementary
- * functions temporarily. They are not universal, and some of them are very
- * slow (in particular, drem and sqrt is extremely inefficient). Each
- * computer system should have its implementation of these functions using
- * its own assembler.
- ******************************************************************************
- *
- * IEEE 754 required operations:
- *     drem(x,p)
- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
- *              nearest x/y; in half way case, choose the even one.
- *     sqrt(x)
- *              returns the square root of x correctly rounded according to
- *		the rounding mod.
- *
- * IEEE 754 recommended functions:
- * (a) copysign(x,y)
- *              returns x with the sign of y.
- * (b) scalb(x,N)
- *              returns  x * (2**N), for integer values N.
- * (c) logb(x)
- *              returns the unbiased exponent of x, a signed integer in
- *              double precision, except that logb(0) is -INF, logb(INF)
- *              is +INF, and logb(NAN) is that NAN.
- * (d) finite(x)
- *              returns the value TRUE if -INF < x < +INF and returns
- *              FALSE otherwise.
- *
- *
- * CODED IN C BY K.C. NG, 11/25/84;
- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
- */
-
-#include "mathimpl.h"
-
-#if defined(vax)||defined(tahoe)      /* VAX D format */
-#include <errno.h>
-    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
-    static const short  prep1=57, gap=7, bias=129           ;
-    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
-#else	/* defined(vax)||defined(tahoe) */
-    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
-    static const short prep1=54, gap=4, bias=1023           ;
-    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
-#endif	/* defined(vax)||defined(tahoe) */
-
-double scalbn(x,N)
-double x; int N;
-{
-        int k;
-
-#ifdef national
-        unsigned short *px=(unsigned short *) &x + 3;
-#else	/* national */
-        unsigned short *px=(unsigned short *) &x;
-#endif	/* national */
-
-        if( x == zero )  return(x);
-
-#if defined(vax)||defined(tahoe)
-        if( (k= *px & mexp ) != ~msign ) {
-            if (N < -260)
-		return(nunf*nunf);
-	    else if (N > 260) {
-		return(copysign(infnan(ERANGE),x));
-	    }
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp ) {
-            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
-            if( k == 0 ) {
-                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
-#endif	/* defined(vax)||defined(tahoe) */
-
-            if((k = (k>>gap)+ N) > 0 )
-                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
-                else x=novf+novf;               /* overflow */
-            else
-                if( k > -prep1 )
-                                        /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
-                else
-                return(nunf*nunf);
-            }
-        return(x);
-}
-
-
-double copysign(x,y)
-double x,y;
-{
-#ifdef national
-        unsigned short  *px=(unsigned short *) &x+3,
-                        *py=(unsigned short *) &y+3;
-#else	/* national */
-        unsigned short  *px=(unsigned short *) &x,
-                        *py=(unsigned short *) &y;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        if ( (*px & mexp) == 0 ) return(x);
-#endif	/* defined(vax)||defined(tahoe) */
-
-        *px = ( *px & msign ) | ( *py & ~msign );
-        return(x);
-}
-
-double logb(x)
-double x;
-{
-
-#ifdef national
-        short *px=(short *) &x+3, k;
-#else	/* national */
-        short *px=(short *) &x, k;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        return (int)(((*px&mexp)>>gap)-bias);
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp )
-            if ( k != 0 )
-                return ( (k>>gap) - bias );
-            else if( x != zero)
-                return ( -1022.0 );
-            else
-                return(-(1.0/zero));
-        else if(x != x)
-            return(x);
-        else
-            {*px &= msign; return(x);}
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-finite(x)
-double x;
-{
-#if defined(vax)||defined(tahoe)
-        return(1);
-#else	/* defined(vax)||defined(tahoe) */
-#ifdef national
-        return( (*((short *) &x+3 ) & mexp ) != mexp );
-#else	/* national */
-        return( (*((short *) &x ) & mexp ) != mexp );
-#endif	/* national */
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-double drem(x,p)
-double x,p;
-{
-        short sign;
-        double hp,dp,tmp;
-        unsigned short  k;
-#ifdef national
-        unsigned short
-              *px=(unsigned short *) &x  +3,
-              *pp=(unsigned short *) &p  +3,
-              *pd=(unsigned short *) &dp +3,
-              *pt=(unsigned short *) &tmp+3;
-#else	/* national */
-        unsigned short
-              *px=(unsigned short *) &x  ,
-              *pp=(unsigned short *) &p  ,
-              *pd=(unsigned short *) &dp ,
-              *pt=(unsigned short *) &tmp;
-#endif	/* national */
-
-        *pp &= msign ;
-
-#if defined(vax)||defined(tahoe)
-        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *px & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		return  (x-p)-(x-p);	/* create nan if x is inf */
-	if (p == zero) {
-#if defined(vax)||defined(tahoe)
-		return(infnan(EDOM));
-#else	/* defined(vax)||defined(tahoe) */
-		return zero/zero;
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-#if defined(vax)||defined(tahoe)
-        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *pp & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		{ if (p != p) return p; else return x;}
-
-        else  if ( ((*pp & mexp)>>gap) <= 1 )
-                /* subnormal p, or almost subnormal p */
-            { double b; b=scalbn(1.0,(int)prep1);
-              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
-        else  if ( p >= novf/2)
-            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
-        else
-            {
-                dp=p+p; hp=p/2;
-                sign= *px & ~msign ;
-                *px &= msign       ;
-                while ( x > dp )
-                    {
-                        k=(*px & mexp) - (*pd & mexp) ;
-                        tmp = dp ;
-                        *pt += k ;
-
-#if defined(vax)||defined(tahoe)
-                        if( x < tmp ) *pt -= 128 ;
-#else	/* defined(vax)||defined(tahoe) */
-                        if( x < tmp ) *pt -= 16 ;
-#endif	/* defined(vax)||defined(tahoe) */
-
-                        x -= tmp ;
-                    }
-                if ( x > hp )
-                    { x -= p ;  if ( x >= hp ) x -= p ; }
-
-#if defined(vax)||defined(tahoe)
-		if (x)
-#endif	/* defined(vax)||defined(tahoe) */
-			*px ^= sign;
-                return( x);
-
-            }
-}
-
-
-double sqrt(x)
-double x;
-{
-        double q,s,b,r;
-        double t;
-	double const zero=0.0;
-        int m,n,i;
-#if defined(vax)||defined(tahoe)
-        int k=54;
-#else	/* defined(vax)||defined(tahoe) */
-        int k=51;
-#endif	/* defined(vax)||defined(tahoe) */
-
-    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-        if(x!=x||x==zero) return(x);
-
-    /* sqrt(negative) is invalid */
-        if(x<zero) {
-#if defined(vax)||defined(tahoe)
-		return (infnan(EDOM));	/* NaN */
-#else	/* defined(vax)||defined(tahoe) */
-		return(zero/zero);
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-    /* sqrt(INF) is INF */
-        if(!finite(x)) return(x);
-
-    /* scale x to [1,4) */
-        n=logb(x);
-        x=scalbn(x,-n);
-        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
-        m += n;
-        n = m/2;
-        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
-
-    /* generate sqrt(x) bit by bit (accumulating in q) */
-            q=1.0; s=4.0; x -= 1.0; r=1;
-            for(i=1;i<=k;i++) {
-                t=s+1; x *= 4; r /= 2;
-                if(t<=x) {
-                    s=t+t+2, x -= t; q += r;}
-                else
-                    s *= 2;
-                }
-
-    /* generate the last bit and determine the final rounding */
-            r/=2; x *= 4;
-            if(x==zero) goto end; 100+r; /* trigger inexact flag */
-            if(s<x) {
-                q+=r; x -=s; s += 2; s *= 2; x *= 4;
-                t = (x-s)-5;
-                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
-                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
-                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
-            else {
-                s *= 2; x *= 4;
-                t = (x-s)-1;
-                b=1.0+3*r/4; if(b==1.0) goto end;
-                b=1.0+r/4;   if(b>1.0) t=1;
-                if(t>=0) q+=r; }
-
-end:        return(scalbn(q,n));
-}
-
-#if 0
-/* DREM(X,Y)
- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
- * INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions (not on a VAX):
- *     swapINX(i): save inexact flag and reset it to "i"
- *     swapENI(e): save inexact enable and reset it to "e"
- */
-
-double drem(x,y)
-double x,y;
-{
-
-#ifdef national		/* order of words in floating point number */
-	static const n0=3,n1=2,n2=1,n3=0;
-#else /* VAX, SUN, ZILOG, TAHOE */
-	static const n0=0,n1=1,n2=2,n3=3;
-#endif
-
-	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
-	static const double zero=0.0;
-	double hy,y1,t,t1;
-	short k;
-	long n;
-	int i,e;
-	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
-			nx,nf,	  *py  =(unsigned short *) &y  ,
-			sign,	  *pt  =(unsigned short *) &t  ,
-				  *pt1 =(unsigned short *) &t1 ;
-
-	xexp = px[n0] & mexp ;	/* exponent of x */
-	yexp = py[n0] & mexp ;	/* exponent of y */
-	sign = px[n0] &0x8000;	/* sign of x     */
-
-/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
-	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
-	if( xexp == mexp )   return(zero/zero);      /* x is INF */
-	if(y==zero) return(y/y);
-
-/* save the inexact flag and inexact enable in i and e respectively
- * and reset them to zero
- */
-	i=swapINX(0);	e=swapENI(0);
-
-/* subnormal number */
-	nx=0;
-	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
-
-/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
-	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
-
-	nf=nx;
-	py[n0] &= 0x7fff;
-	px[n0] &= 0x7fff;
-
-/* mask off the least significant 27 bits of y */
-	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
-
-/* LOOP: argument reduction on x whenever x > y */
-loop:
-	while ( x > y )
-	{
-	    t=y;
-	    t1=y1;
-	    xexp=px[n0]&mexp;	  /* exponent of x */
-	    k=xexp-yexp-m25;
-	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
-		{pt[n0]+=k;pt1[n0]+=k;}
-	    n=x/t; x=(x-n*t1)-n*(t-t1);
-	}
-    /* end while (x > y) */
-
-	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
-
-/* final adjustment */
-
-	hy=y/2.0;
-	if(x>hy||((x==hy)&&n%2==1)) x-=y;
-	px[n0] ^= sign;
-	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
-
-/* restore inexact flag and inexact enable */
-	swapINX(i); swapENI(e);
-
-	return(x);
-}
-#endif
-
-#if 0
-/* SQRT
- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/22/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions:
- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
- */
-
-static const unsigned long table[] = {
-0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
-58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
-21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
-
-double newsqrt(x)
-double x;
-{
-        double y,z,t,addc(),subc()
-	double const b54=134217728.*134217728.; /* b54=2**54 */
-        long mx,scalx;
-	long const mexp=0x7ff00000;
-        int i,j,r,e,swapINX(),swapRM(),swapENI();
-        unsigned long *py=(unsigned long *) &y   ,
-                      *pt=(unsigned long *) &t   ,
-                      *px=(unsigned long *) &x   ;
-#ifdef national         /* ordering of word in a floating point number */
-        const int n0=1, n1=0;
-#else
-        const int n0=0, n1=1;
-#endif
-/* Rounding Mode:  RN ...round-to-nearest
- *                 RZ ...round-towards 0
- *                 RP ...round-towards +INF
- *		   RM ...round-towards -INF
- */
-        const int RN=0,RZ=1,RP=2,RM=3;
-				/* machine dependent: work on a Zilog Z8070
-                                 * and a National 32081 & 16081
-                                 */
-
-/* exceptions */
-	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
-        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
-
-/* save, reset, initialize */
-        e=swapENI(0);   /* ...save and reset the inexact enable */
-        i=swapINX(0);   /* ...save INEXACT flag */
-        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
-        scalx=0;
-
-/* subnormal number, scale up x to x*2**54 */
-        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
-
-/* scale x to avoid intermediate over/underflow:
- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
-        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
-        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
-
-/* magic initial approximation to almost 8 sig. bits */
-        py[n0]=(px[n0]>>1)+0x1ff80000;
-        py[n0]=py[n0]-table[(py[n0]>>15)&31];
-
-/* Heron's rule once with correction to improve y to almost 18 sig. bits */
-        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
-
-/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
-        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
-        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
-
-/* twiddle last bit to force y correctly rounded */
-        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
-        swapINX(0);     /* ...clear INEXACT flag */
-        swapENI(e);     /* ...restore inexact enable status */
-        t=x/y;          /* ...chopped quotient, possibly inexact */
-        j=swapINX(i);   /* ...read and restore inexact flag */
-        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
-        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
-        if(r==RN) t=addc(t);            /* ...t=t+ulp */
-        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
-        y=y+t;                          /* ...chopped sum */
-        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
-end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
-        swapRM(r);                      /* ...restore Rounding Mode */
-        return(y);
-}
-#endif

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=601f2444208808e1d17c679fa7a119ccb9db4254

commit 601f2444208808e1d17c679fa7a119ccb9db4254
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:12:34 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f629830e477da31c658efce637dcd5bf11b00ed8

commit f629830e477da31c658efce637dcd5bf11b00ed8
Merge: 9be17e5 2e649ae af9711c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:09:45 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9be17e5117b896d04a7e06fa3c1c8c269d430f0b

commit 9be17e5117b896d04a7e06fa3c1c8c269d430f0b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:09:45 2013 -0300

    refresh

diff --git a/meta b/meta
index 09e1fd6..fa4c5d2 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: e6321f6f88bd6024b0532486f0bf9b43ebf23b0c
-Head: 180532bd97eab73fca355a7049ada9f825483002
+Previous: af9711c5b7808f21ee60eb46c8048c3d054f0c31
+Head: 2e649ae373826f51a9c30dff4a9f0d3366c7a4b3
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -28,7 +28,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: d4b7d87f6ac0c1c4f537289efc7877c4d5bbae93
   wip-manual-document-mt-safety-threads.patch: 3c71f75c7c0c64263bc679cc89fbfbcea8753653
   wip-manual-document-mt-safety-time.patch: 0b3afb70e5ee7968cd9653bfa592f05bb5f4798d
-  wip-manual-document-mt-safety-locale.patch: afb86d3a0ff16fe7ba1bac6ce482d367311e7771
-  refresh-temp: 180532bd97eab73fca355a7049ada9f825483002
+  wip-manual-document-mt-safety-locale.patch: 2e649ae373826f51a9c30dff4a9f0d3366c7a4b3
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 91180d9..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,93 +0,0 @@
-Bottom: 968fb766f8ba8e00249074d4e9889193f200d887
-Top:    e5495b72159bea83c172508270804cf16b3f60ec
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-29 04:09:44 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index 36cda7f..f07135e 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -224,14 +224,14 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @comment locale.h
- @comment ISO
- @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
--@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
-+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
- @c Uses of the global locale object are unguarded in functions that
- @c ought to be MT-Safe, so we're ruling out the use of this function
- @c once threads are started.  It takes a write lock itself, but it may
- @c return a pointer loaded from the global locale object after releasing
- @c the lock, or before taking it.
- @c This function returns a pointer read...
--@c setlocale
-+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
- @c  libc_rwlock_wrlock selfdeadlock, lockleak
- @c  libc_rwlock_unlock lockleak
- @c  getenv LOCPATH envromt
-@@ -240,7 +240,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c  new_composite_name ok
- @c  setdata ok
- @c  setname ok
--@c  _nl_find_locale
-+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
- @c   getenv LC_ALL and LANG envromt
- @c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
- @c    sysconf _SC_PAGE_SIZE ok
-@@ -300,8 +300,8 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c    free asmalloc, memleak
- @c    _nl_intern_locale_data dup asmalloc, memleak
- @c    munmap ok
--@c   __gconv_compare_alias
--@c    __gconv_read_conf oncesafe
-+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
-+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
- @c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
- @c      never modified afterwards)
- @c     __gconv_load_cache asmalloc, memleak, fdleak
-@@ -320,22 +320,34 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c      malloc asmalloc, memleak
- @c      strtok_r ok
- @c      libc_lock_unlock lockleak
--@c     read_conf_file
-+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
- @c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
- @c      fsetlocking ok
- @c      feof_unlocked ok
- @c      getdelim asmalloc, asynconsist, memleak, incansist
- @c      isspace_l ok (C locale)
- @c      add_alias
--@c       +
--@c      add_module
--@c       +
-+@c       isspace_l ok (C locale)
-+@c       toupper_l ok (C locale)
-+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
-+@c      add_module asmalloc, memleak
-+@c       isspace_l ok (C locale)
-+@c       toupper_l ok (C locale)
-+@c       strtol ok (glocale, but we hold the locale lock)
-+@c       tfind __gconv_alias_db ok
-+@c        __gconv_alias_compare dup ok
-+@c       calloc asmalloc, memleak
-+@c       insert_module dup asmalloc
- @c     __tfind ok (because the tree is read only by then)
- @c      __gconv_alias_compare dup ok
--@c     insert_module
--@c      +
--@c     add_alias2
--@c      +
-+@c     insert_module asmalloc
-+@c      free asmalloc
-+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
-+@c      detect_conflict ok, reads __gconv_modules_db
-+@c      malloc asmalloc, memleak
-+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
-+@c       __gconv_alias_compare ok
-+@c      free asmalloc
- @c    __gconv_compare_alias_cache ok
- @c     find_module_idx ok
- @c    do_lookup_alias ok
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 0994824..6347b49 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: 433caedec169e879059fe6a497b2a6f420d94334
-Top:    968fb766f8ba8e00249074d4e9889193f200d887
+Top:    e5495b72159bea83c172508270804cf16b3f60ec
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
@@ -13,21 +13,21 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..36cda7f 100644
+index 2f10fcd..f07135e 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
-@@ -224,6 +224,125 @@ The symbols in this section are defined in the header file @file{locale.h}.
+@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
  @comment locale.h
  @comment ISO
  @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
-+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
 +@c Uses of the global locale object are unguarded in functions that
 +@c ought to be MT-Safe, so we're ruling out the use of this function
 +@c once threads are started.  It takes a write lock itself, but it may
 +@c return a pointer loaded from the global locale object after releasing
 +@c the lock, or before taking it.
 +@c This function returns a pointer read...
-+@c setlocale
++@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
 +@c  libc_rwlock_wrlock selfdeadlock, lockleak
 +@c  libc_rwlock_unlock lockleak
 +@c  getenv LOCPATH envromt
@@ -36,7 +36,7 @@ index 2f10fcd..36cda7f 100644
 +@c  new_composite_name ok
 +@c  setdata ok
 +@c  setname ok
-+@c  _nl_find_locale
++@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
 +@c   getenv LC_ALL and LANG envromt
 +@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
 +@c    sysconf _SC_PAGE_SIZE ok
@@ -96,8 +96,8 @@ index 2f10fcd..36cda7f 100644
 +@c    free asmalloc, memleak
 +@c    _nl_intern_locale_data dup asmalloc, memleak
 +@c    munmap ok
-+@c   __gconv_compare_alias
-+@c    __gconv_read_conf oncesafe
++@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
++@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
 +@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
 +@c      never modified afterwards)
 +@c     __gconv_load_cache asmalloc, memleak, fdleak
@@ -116,22 +116,34 @@ index 2f10fcd..36cda7f 100644
 +@c      malloc asmalloc, memleak
 +@c      strtok_r ok
 +@c      libc_lock_unlock lockleak
-+@c     read_conf_file
++@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
 +@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
 +@c      fsetlocking ok
 +@c      feof_unlocked ok
 +@c      getdelim asmalloc, asynconsist, memleak, incansist
 +@c      isspace_l ok (C locale)
 +@c      add_alias
-+@c       +
-+@c      add_module
-+@c       +
++@c       isspace_l ok (C locale)
++@c       toupper_l ok (C locale)
++@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
++@c      add_module asmalloc, memleak
++@c       isspace_l ok (C locale)
++@c       toupper_l ok (C locale)
++@c       strtol ok (glocale, but we hold the locale lock)
++@c       tfind __gconv_alias_db ok
++@c        __gconv_alias_compare dup ok
++@c       calloc asmalloc, memleak
++@c       insert_module dup asmalloc
 +@c     __tfind ok (because the tree is read only by then)
 +@c      __gconv_alias_compare dup ok
-+@c     insert_module
-+@c      +
-+@c     add_alias2
-+@c      +
++@c     insert_module asmalloc
++@c      free asmalloc
++@c     add_alias2 asynconsist, asmalloc, incansist, memleak
++@c      detect_conflict ok, reads __gconv_modules_db
++@c      malloc asmalloc, memleak
++@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
++@c       __gconv_alias_compare ok
++@c      free asmalloc
 +@c    __gconv_compare_alias_cache ok
 +@c     find_module_idx ok
 +@c    do_lookup_alias ok

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=af9711c5b7808f21ee60eb46c8048c3d054f0c31

commit af9711c5b7808f21ee60eb46c8048c3d054f0c31
Merge: 7d036ed e6321f6 180532b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:09:44 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7d036ed8e0aa7adc19dba6eae65badbd8c325287

commit 7d036ed8e0aa7adc19dba6eae65badbd8c325287
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:09:44 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 5535f53..09e1fd6 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7c4730c50b3ca97da9c26b8a7b4b302efca2b730
-Head: afb86d3a0ff16fe7ba1bac6ce482d367311e7771
+Previous: e6321f6f88bd6024b0532486f0bf9b43ebf23b0c
+Head: 180532bd97eab73fca355a7049ada9f825483002
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: 3c71f75c7c0c64263bc679cc89fbfbcea8753653
   wip-manual-document-mt-safety-time.patch: 0b3afb70e5ee7968cd9653bfa592f05bb5f4798d
   wip-manual-document-mt-safety-locale.patch: afb86d3a0ff16fe7ba1bac6ce482d367311e7771
+  refresh-temp: 180532bd97eab73fca355a7049ada9f825483002
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..91180d9
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,93 @@
+Bottom: 968fb766f8ba8e00249074d4e9889193f200d887
+Top:    e5495b72159bea83c172508270804cf16b3f60ec
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-29 04:09:44 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index 36cda7f..f07135e 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -224,14 +224,14 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @comment locale.h
+ @comment ISO
+ @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+-@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+ @c Uses of the global locale object are unguarded in functions that
+ @c ought to be MT-Safe, so we're ruling out the use of this function
+ @c once threads are started.  It takes a write lock itself, but it may
+ @c return a pointer loaded from the global locale object after releasing
+ @c the lock, or before taking it.
+ @c This function returns a pointer read...
+-@c setlocale
++@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+ @c  libc_rwlock_wrlock selfdeadlock, lockleak
+ @c  libc_rwlock_unlock lockleak
+ @c  getenv LOCPATH envromt
+@@ -240,7 +240,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c  new_composite_name ok
+ @c  setdata ok
+ @c  setname ok
+-@c  _nl_find_locale
++@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+ @c   getenv LC_ALL and LANG envromt
+ @c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+ @c    sysconf _SC_PAGE_SIZE ok
+@@ -300,8 +300,8 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c    free asmalloc, memleak
+ @c    _nl_intern_locale_data dup asmalloc, memleak
+ @c    munmap ok
+-@c   __gconv_compare_alias
+-@c    __gconv_read_conf oncesafe
++@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
++@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+ @c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+ @c      never modified afterwards)
+ @c     __gconv_load_cache asmalloc, memleak, fdleak
+@@ -320,22 +320,34 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c      malloc asmalloc, memleak
+ @c      strtok_r ok
+ @c      libc_lock_unlock lockleak
+-@c     read_conf_file
++@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+ @c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+ @c      fsetlocking ok
+ @c      feof_unlocked ok
+ @c      getdelim asmalloc, asynconsist, memleak, incansist
+ @c      isspace_l ok (C locale)
+ @c      add_alias
+-@c       +
+-@c      add_module
+-@c       +
++@c       isspace_l ok (C locale)
++@c       toupper_l ok (C locale)
++@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
++@c      add_module asmalloc, memleak
++@c       isspace_l ok (C locale)
++@c       toupper_l ok (C locale)
++@c       strtol ok (glocale, but we hold the locale lock)
++@c       tfind __gconv_alias_db ok
++@c        __gconv_alias_compare dup ok
++@c       calloc asmalloc, memleak
++@c       insert_module dup asmalloc
+ @c     __tfind ok (because the tree is read only by then)
+ @c      __gconv_alias_compare dup ok
+-@c     insert_module
+-@c      +
+-@c     add_alias2
+-@c      +
++@c     insert_module asmalloc
++@c      free asmalloc
++@c     add_alias2 asynconsist, asmalloc, incansist, memleak
++@c      detect_conflict ok, reads __gconv_modules_db
++@c      malloc asmalloc, memleak
++@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
++@c       __gconv_alias_compare ok
++@c      free asmalloc
+ @c    __gconv_compare_alias_cache ok
+ @c     find_module_idx ok
+ @c    do_lookup_alias ok

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=180532bd97eab73fca355a7049ada9f825483002

commit 180532bd97eab73fca355a7049ada9f825483002
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 29 04:09:44 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index 36cda7f..f07135e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,14 +224,14 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
-@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
 @c Uses of the global locale object are unguarded in functions that
 @c ought to be MT-Safe, so we're ruling out the use of this function
 @c once threads are started.  It takes a write lock itself, but it may
 @c return a pointer loaded from the global locale object after releasing
 @c the lock, or before taking it.
 @c This function returns a pointer read...
-@c setlocale
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
 @c  libc_rwlock_wrlock selfdeadlock, lockleak
 @c  libc_rwlock_unlock lockleak
 @c  getenv LOCPATH envromt
@@ -240,7 +240,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c  new_composite_name ok
 @c  setdata ok
 @c  setname ok
-@c  _nl_find_locale
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
 @c   getenv LC_ALL and LANG envromt
 @c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
 @c    sysconf _SC_PAGE_SIZE ok
@@ -300,8 +300,8 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c    free asmalloc, memleak
 @c    _nl_intern_locale_data dup asmalloc, memleak
 @c    munmap ok
-@c   __gconv_compare_alias
-@c    __gconv_read_conf oncesafe
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
 @c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
 @c      never modified afterwards)
 @c     __gconv_load_cache asmalloc, memleak, fdleak
@@ -320,22 +320,34 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c      malloc asmalloc, memleak
 @c      strtok_r ok
 @c      libc_lock_unlock lockleak
-@c     read_conf_file
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
 @c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
 @c      fsetlocking ok
 @c      feof_unlocked ok
 @c      getdelim asmalloc, asynconsist, memleak, incansist
 @c      isspace_l ok (C locale)
 @c      add_alias
-@c       +
-@c      add_module
-@c       +
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
 @c     __tfind ok (because the tree is read only by then)
 @c      __gconv_alias_compare dup ok
-@c     insert_module
-@c      +
-@c     add_alias2
-@c      +
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
 @c    __gconv_compare_alias_cache ok
 @c     find_module_idx ok
 @c    do_lookup_alias ok

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e6321f6f88bd6024b0532486f0bf9b43ebf23b0c

commit e6321f6f88bd6024b0532486f0bf9b43ebf23b0c
Merge: a41d0b5 afb86d3 7c4730c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:24:33 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a41d0b5bca3e2b9fb23eda7de3383975df244da2

commit a41d0b5bca3e2b9fb23eda7de3383975df244da2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:24:33 2013 -0300

    goto

diff --git a/meta b/meta
index db2cae7..5535f53 100644
--- a/meta
+++ b/meta
@@ -1,33 +1,33 @@
 Version: 1
-Previous: d0b8f88b8fef816ebddf48f01bc0150e975b927f
-Head: 4e51ca6a99c605099f12a779df0d47cceeb4ae4f
+Previous: 7c4730c50b3ca97da9c26b8a7b4b302efca2b730
+Head: afb86d3a0ff16fe7ba1bac6ce482d367311e7771
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
   manual-document-mt-safety.patch: 4e51ca6a99c605099f12a779df0d47cceeb4ae4f
+  manual-document-mt-safety-argp.patch: aaf60aa78ffc0da9405c007a36e9b5ad89f4d7e0
+  manual-document-mt-safety-arith.patch: f5408aef8fd0f838855b341cf29d4b3b0761ceae
+  manual-document-mt-safety-charset.patch: acec40190ccb799a124103745f39b272f5c5afa2
+  manual-document-mt-safety-conf.patch: 3f8919133306d121a29dea94df850074c59c9327
+  manual-document-mt-safety-crypt.patch: d10d9de8dc6b4909fc2ffaca9df6c08f497fe430
+  manual-document-mt-safety-ctype.patch: fe95a108afa92a848495f13bf1be98adf8eb7539
+  manual-document-mt-safety-debug.patch: 4e7d13cc87a994e6738371f001e34d4304db738f
+  manual-document-mt-safety-errno.patch: ed15acd8f144cf7fab2cb273f29a678af72fee1d
+  manual-document-mt-safety-filesys.patch: 841af416cc09ad9a10c030373274b83b7bf0e9f8
+  manual-document-mt-safety-getopt.patch: 8643cf752f8e508001e1faf25a3a50b940f5fcac
+  manual-document-mt-safety-libdl.patch: d7b8694a2eee5f336076db4c86e31d0a3e8a5884
+  manual-document-mt-safety-job.patch: dc5cc158e96987de0e4069e83b8553ae1d968df3
+  manual-document-mt-safety-lang.patch: 8d1637219ed7cc2f3bb4819d7a586659f1da3e50
+  manual-document-mt-safety-llio.patch: 114949fad3069f3c51d1cd9901a799988e8377b7
+  manual-document-mt-safety-stdio.patch: 5da6c6fb3d7087914a9d5b07d2c138b48d07891d
+  wip-manual-document-mt-safety-math.patch: 9465760239804be9c83371f416900c5d2b77c585
+  wip-manual-document-mt-safety-resource.patch: c071176c59f53ce8f1dfe15b851b99e7818cead1
+  wip-manual-document-mt-safety-startup.patch: 39bee707673a40f9f7ad816a32cb2b80767d24f5
+  wip-manual-document-mt-safety-search.patch: 7e937af701f2fa859ae881c59ced25cc3182ef1b
+  wip-manual-document-mt-safety-string.patch: 6c188d6d1877e318d247a68b863d6f25c5f62965
+  wip-manual-document-mt-safety-terminal.patch: d4b7d87f6ac0c1c4f537289efc7877c4d5bbae93
+  wip-manual-document-mt-safety-threads.patch: 3c71f75c7c0c64263bc679cc89fbfbcea8753653
+  wip-manual-document-mt-safety-time.patch: 0b3afb70e5ee7968cd9653bfa592f05bb5f4798d
+  wip-manual-document-mt-safety-locale.patch: afb86d3a0ff16fe7ba1bac6ce482d367311e7771
 Unapplied:
-  manual-document-mt-safety-argp.patch: 091e1e16a3a7c50d382e0f9eee36d6d04bcd441a
-  manual-document-mt-safety-arith.patch: 6dfda39adb1d84728fb4d392927fe32c70717f8c
-  manual-document-mt-safety-charset.patch: b58ef1fd4f0b6a89317ebce875a8c6217da8e8fa
-  manual-document-mt-safety-conf.patch: c7e8ed57d8a8ef0461deb3bb02e64e7c3c3606c1
-  manual-document-mt-safety-crypt.patch: 9a99d1deaa001ca289c66c3832e5eaf4bee898b4
-  manual-document-mt-safety-ctype.patch: 6bef7c9b865d9b4002167b45edfc3e8d74063fcf
-  manual-document-mt-safety-debug.patch: 0b2dd076556329cdfefbe5adf3c6ea16167fe17b
-  manual-document-mt-safety-errno.patch: d03f2590278bbe0c5b64d2727c6a88103e1174c6
-  manual-document-mt-safety-filesys.patch: cd6798f9231759db9a66272f1e721010946710b4
-  manual-document-mt-safety-getopt.patch: 5acd0cba09b1c0411d3c0ff44ebad682781cdea4
-  manual-document-mt-safety-libdl.patch: a6dbb793abff10ea3a8779b118e43cd27d02cd33
-  manual-document-mt-safety-job.patch: 1302198bf7ea242f1be035891c34507df7fa27e7
-  manual-document-mt-safety-lang.patch: df244861d2cc8225a441c53b523f53150727ae62
-  manual-document-mt-safety-llio.patch: bf5c49825fd31327a529399b2400a6e592bbee3a
-  manual-document-mt-safety-stdio.patch: 3f6a86b4b41552229bec8e2e30c2f20b6e0cefa4
-  wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
-  wip-manual-document-mt-safety-resource.patch: fc558f0f09d7886fab6a27dd914edd28b2e785c0
-  wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
-  wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
-  wip-manual-document-mt-safety-string.patch: eb3c85b71c56902290473a92e6c8f3ffa4852964
-  wip-manual-document-mt-safety-terminal.patch: af4517fcf40418c102664f0ad468424d974e1579
-  wip-manual-document-mt-safety-threads.patch: b788aa476a3f1241be343db5eed095d40d4e7f99
-  wip-manual-document-mt-safety-time.patch: d1221244d675ec6bcc205f518c664c13def4a4a6
-  wip-manual-document-mt-safety-locale.patch: 7e105f03df345c9d37e09985a410f6d6177d8ed3
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 04e77a4..7d26e1b 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,5 +1,5 @@
-Bottom: 9dc17c777e87d9e8550bcf18a685ec2e017a008c
-Top:    8fa20da58a327ce236a45260745f81ec87a5a28c
+Bottom: bc51276153dccb4e0691cf1f0eb3c565579e39f7
+Top:    7c1f972f26f2cc5f1a309d366b4289bcd807d025
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:04 -0300
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index ad9a44a..6295886 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
-Bottom: 8fa20da58a327ce236a45260745f81ec87a5a28c
-Top:    9e00847513aa8ca3dd870c7142c8ee63c1eea05f
+Bottom: 7c1f972f26f2cc5f1a309d366b4289bcd807d025
+Top:    9c86370cb53d549c50d2c79be3379b37f1330469
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:05 -0300
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index eb1d974..3ef2fdb 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,5 +1,5 @@
-Bottom: 9e00847513aa8ca3dd870c7142c8ee63c1eea05f
-Top:    25ef582a24250de1e2072a4015dacbfc5c2841bb
+Bottom: 9c86370cb53d549c50d2c79be3379b37f1330469
+Top:    d24392f659023698231462cdff3a7cd2c718b328
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:05 -0300
 
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index a919d8b..4cb62ce 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,5 +1,5 @@
-Bottom: 25ef582a24250de1e2072a4015dacbfc5c2841bb
-Top:    b0eacdf8728c94a1f78c8f658a008efcaabcc9d2
+Bottom: d24392f659023698231462cdff3a7cd2c718b328
+Top:    a8f636ec2c63e1659cb6bb784fc1da03dea18213
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:05 -0300
 
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index c361847..11d0154 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,5 +1,5 @@
-Bottom: b0eacdf8728c94a1f78c8f658a008efcaabcc9d2
-Top:    c0b0db21cd11bbf3316e8c83167e162e23ad5bfa
+Bottom: a8f636ec2c63e1659cb6bb784fc1da03dea18213
+Top:    e56878e0c3824c71e49300c70bc897ef4c95eba9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:05 -0300
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index 3b2e49c..1c15c78 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: c0b0db21cd11bbf3316e8c83167e162e23ad5bfa
-Top:    1ac0ccdda2df342408b295e5121112bafddb3284
+Bottom: e56878e0c3824c71e49300c70bc897ef4c95eba9
+Top:    5e33d66bee65faf09bea523f63284bba8bfc037b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:05 -0300
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index 5283b95..3a82b5b 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,5 +1,5 @@
-Bottom: 1ac0ccdda2df342408b295e5121112bafddb3284
-Top:    dc9e760360eb18c8fb0f2184676b14e7bc2177c3
+Bottom: 5e33d66bee65faf09bea523f63284bba8bfc037b
+Top:    f72a7e64af28a199527df245fb9aa731d99c95c4
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:06 -0300
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index c0ca2ec..d9b8fda 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,5 +1,5 @@
-Bottom: dc9e760360eb18c8fb0f2184676b14e7bc2177c3
-Top:    6f36388aba0015568b6b2a4816dacc50146cb3fe
+Bottom: f72a7e64af28a199527df245fb9aa731d99c95c4
+Top:    049700a49dafb85830a3b5d7f204ab655fb1062a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:06 -0300
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 6769498..98130d6 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
-Bottom: 6f36388aba0015568b6b2a4816dacc50146cb3fe
-Top:    fde229599e21ef688d3e4b9f2339df8c55a7a992
+Bottom: 049700a49dafb85830a3b5d7f204ab655fb1062a
+Top:    830ce3133ca2adb5e7292565caf7cc33905af262
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:06 -0300
 
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index cbc973f..bdd420f 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: fde229599e21ef688d3e4b9f2339df8c55a7a992
-Top:    6d7e1278667b262f6475d7f0930713e0fcaf2164
+Bottom: 830ce3133ca2adb5e7292565caf7cc33905af262
+Top:    c46f27af7da7f04821d8d604cb1f6fdebe1af493
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:06 -0300
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index 78e372d..6b585e7 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: 84a81eb5208d547308c0551a8daf7274f5f51893
-Top:    464934e3117acbbe947a28a984738c55ac1e7982
+Bottom: 4de5887b6571c90da0520d05ea43f403a3fa34ec
+Top:    ba68695341ed62fde872ec262b801f8614334865
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:07 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index c3e1fa5..7af432c 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: 464934e3117acbbe947a28a984738c55ac1e7982
-Top:    97ed577a7b5de423e0cbd73e6199c1d5d77a2db2
+Bottom: ba68695341ed62fde872ec262b801f8614334865
+Top:    b635b868ec5a8b50d788d6f60becf14146373aff
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:07 -0300
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 45921f9..6a1a9c5 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: 6d7e1278667b262f6475d7f0930713e0fcaf2164
-Top:    84a81eb5208d547308c0551a8daf7274f5f51893
+Bottom: c46f27af7da7f04821d8d604cb1f6fdebe1af493
+Top:    4de5887b6571c90da0520d05ea43f403a3fa34ec
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:07 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 232d2b0..c9f81fd 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 97ed577a7b5de423e0cbd73e6199c1d5d77a2db2
-Top:    93d7801d18acd26c49da4772fbbaa130e15e8c35
+Bottom: b635b868ec5a8b50d788d6f60becf14146373aff
+Top:    3fbfb29a402aef2bc5a15640726741426eca8904
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:07 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index cd7fc3b..b3af1bf 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 93d7801d18acd26c49da4772fbbaa130e15e8c35
-Top:    255dc76dfd1273775d159fe84d9f9ff35f7d5184
+Bottom: 3fbfb29a402aef2bc5a15640726741426eca8904
+Top:    f75a142a5e1e8c6b49e3a8f622e8d0177f357f3d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 4978c4d..0994824 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: ea3ba54c73d659d8dfd72d24ca9bff1fd9d533a6
-Top:    f84cb3a8a6935357a83211dd7476aa8cceee29ed
+Bottom: 433caedec169e879059fe6a497b2a6f420d94334
+Top:    968fb766f8ba8e00249074d4e9889193f200d887
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index b7ef137..f9a8ef8 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: e50028beb84ad6b675a13f914ea7f6020b0041fb
-Top:    11d1dc9eeba934ab536b2fddf3eb7e4e30268ee3
+Bottom: f75a142a5e1e8c6b49e3a8f622e8d0177f357f3d
+Top:    74197c280c2327b55e496226262a0ce471390321
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 2b03b87..7737e49 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 11d1dc9eeba934ab536b2fddf3eb7e4e30268ee3
-Top:    287a1605130347164da91db888a4abb2da4313a8
+Bottom: 74197c280c2327b55e496226262a0ce471390321
+Top:    03e8cc5f3903301a0af65e6ddd0359e1c48cd0b1
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 9f3f3cb..75b2d6f 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 7b5b5d8f990508d27c92e7be27499ab075fcd831
-Top:    84ba7139fbdcfc5f51668f8a5c3e0d2ef1124263
+Bottom: 50350adeaabebba128c4819026b005be23b60024
+Top:    2827bf77a32cb7dea2034fa4d12eeb52db8491a8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 92fa78a..86ed331 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 287a1605130347164da91db888a4abb2da4313a8
-Top:    7b5b5d8f990508d27c92e7be27499ab075fcd831
+Bottom: 03e8cc5f3903301a0af65e6ddd0359e1c48cd0b1
+Top:    50350adeaabebba128c4819026b005be23b60024
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index de41b62..37bf7dd 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 84ba7139fbdcfc5f51668f8a5c3e0d2ef1124263
-Top:    c7851f3716d07cb79899c2afd9060ba0012286ea
+Bottom: 2827bf77a32cb7dea2034fa4d12eeb52db8491a8
+Top:    94e8f6c89b1345b143d4d651785e301effcb97e4
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index c988723..02f1a3c 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: c7851f3716d07cb79899c2afd9060ba0012286ea
-Top:    a82741c4de572d76f0acefac779c7b54549081ad
+Bottom: 94e8f6c89b1345b143d4d651785e301effcb97e4
+Top:    c48ef49e78eb0f0a0327fe9f89b47646609f316e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 24a89ae..15d5d06 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: a82741c4de572d76f0acefac779c7b54549081ad
-Top:    121d21001f9a090049c70d632774252aca77b79d
+Bottom: c48ef49e78eb0f0a0327fe9f89b47646609f316e
+Top:    8d1dadaf72de52e6a5b1e028fed9aa52ba3b56c2
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index e021f3a..97d9998 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 121d21001f9a090049c70d632774252aca77b79d
-Top:    ea3ba54c73d659d8dfd72d24ca9bff1fd9d533a6
+Bottom: 8d1dadaf72de52e6a5b1e028fed9aa52ba3b56c2
+Top:    433caedec169e879059fe6a497b2a6f420d94334
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e649ae373826f51a9c30dff4a9f0d3366c7a4b3

commit 2e649ae373826f51a9c30dff4a9f0d3366c7a4b3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..f07135e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,137 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{oncesafe, selfdeadlock, asmalloc, asynconsist, incansist}@acunsafe{oncesafe, incansist, lockleak, memleak, fdleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale envromt, oncesafe, asmalloc, selfdeadlock, asynconsist, incansist, memleak, fdleak, lockleak
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c    __gconv_read_conf oncesafe, asmalloc, asynconsist, selfdeadlock, memleak,incansist, fdleak, lockleak
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file asmalloc, asynconsist, selfdeadlock, memleak, incansist, fdleak, lockleak
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       add_alias2 dup asynconsist, asmalloc, incansist, memleak
+@c      add_module asmalloc, memleak
+@c       isspace_l ok (C locale)
+@c       toupper_l ok (C locale)
+@c       strtol ok (glocale, but we hold the locale lock)
+@c       tfind __gconv_alias_db ok
+@c        __gconv_alias_compare dup ok
+@c       calloc asmalloc, memleak
+@c       insert_module dup asmalloc
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module asmalloc
+@c      free asmalloc
+@c     add_alias2 asynconsist, asmalloc, incansist, memleak
+@c      detect_conflict ok, reads __gconv_modules_db
+@c      malloc asmalloc, memleak
+@c      tsearch __gconv_alias_db asynconsist, asmalloc, incansist, memleak
+@c       __gconv_alias_compare ok
+@c      free asmalloc
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=afb86d3a0ff16fe7ba1bac6ce482d367311e7771

commit afb86d3a0ff16fe7ba1bac6ce482d367311e7771
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..36cda7f 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,125 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias
+@c    __gconv_read_conf oncesafe
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       +
+@c      add_module
+@c       +
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module
+@c      +
+@c     add_alias2
+@c      +
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0b3afb70e5ee7968cd9653bfa592f05bb5f4798d

commit 0b3afb70e5ee7968cd9653bfa592f05bb5f4798d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3c71f75c7c0c64263bc679cc89fbfbcea8753653

commit 3c71f75c7c0c64263bc679cc89fbfbcea8753653
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d4b7d87f6ac0c1c4f537289efc7877c4d5bbae93

commit d4b7d87f6ac0c1c4f537289efc7877c4d5bbae93
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6c188d6d1877e318d247a68b863d6f25c5f62965

commit 6c188d6d1877e318d247a68b863d6f25c5f62965
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..1408033 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1646,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2686,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7e937af701f2fa859ae881c59ced25cc3182ef1b

commit 7e937af701f2fa859ae881c59ced25cc3182ef1b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=39bee707673a40f9f7ad816a32cb2b80767d24f5

commit 39bee707673a40f9f7ad816a32cb2b80767d24f5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c071176c59f53ce8f1dfe15b851b99e7818cead1

commit c071176c59f53ce8f1dfe15b851b99e7818cead1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9465760239804be9c83371f416900c5d2b77c585

commit 9465760239804be9c83371f416900c5d2b77c585
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5da6c6fb3d7087914a9d5b07d2c138b48d07891d

commit 5da6c6fb3d7087914a9d5b07d2c138b48d07891d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..5667af3 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,12 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Besides the usual possibility of getting an inconsistent stream in a
+@c signal handler or leaving it inconsistent in case of cancellation,
+@c the possibility of leaving a dangling pointer upon cancellation
+@c between reallocing the buffer at *lineptr and updating the pointer
+@c brings about another case of incansist.
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c See the getline incansist note.
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1347,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1371,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1397,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1407,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1417,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1508,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1546,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1605,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1621,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1631,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1641,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2383,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2393,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2403,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2411,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2419,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2444,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2469,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2540,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2573,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2644,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2653,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2662,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2711,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2719,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2727,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2735,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2743,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2751,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2827,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3068,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3320,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3384,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +4001,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4016,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4031,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4039,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4047,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4061,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4088,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4097,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4106,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4114,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4122,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4130,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4180,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4190,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4204,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4215,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4243,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4254,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4368,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4381,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4405,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4421,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4441,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4465,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4514,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4636,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4651,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4664,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4681,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4793,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4806,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4823,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4845,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4870,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4948,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4962,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4974,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4989,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +5003,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5014,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5062,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5118,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5234,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5416,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5557,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=114949fad3069f3c51d1cd9901a799988e8377b7

commit 114949fad3069f3c51d1cd9901a799988e8377b7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..c350585 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,6 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
@@ -1089,6 +1122,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1187,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1307,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1326,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1353,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1401,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1450,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1577,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1585,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1597,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1609,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1622,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1728,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1744,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1782,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1984,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2201,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2220,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2287,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2309,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2398,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2427,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2449,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2463,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2487,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2516,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2566,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2593,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2634,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2662,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2719,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2775,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2811,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2894,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2903,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3882,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3902,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8d1637219ed7cc2f3bb4819d7a586659f1da3e50

commit 8d1637219ed7cc2f3bb4819d7a586659f1da3e50
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dc5cc158e96987de0e4069e83b8553ae1d968df3

commit dc5cc158e96987de0e4069e83b8553ae1d968df3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..2c46771 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,6 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
@@ -1134,6 +1145,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1154,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1164,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1188,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1227,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1251,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1281,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1322,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d7b8694a2eee5f336076db4c86e31d0a3e8a5884

commit d7b8694a2eee5f336076db4c86e31d0a3e8a5884
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8643cf752f8e508001e1faf25a3a50b940f5fcac

commit 8643cf752f8e508001e1faf25a3a50b940f5fcac
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=841af416cc09ad9a10c030373274b83b7bf0e9f8

commit 841af416cc09ad9a10c030373274b83b7bf0e9f8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 814c210..c7eb13b 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the
 file.  This structure is associated with the @var{dirstream} handle
@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is a version of @code{readdir} which performs internal
 locking.  Like @code{readdir} it returns the next entry from the
 directory.  To prevent conflicts between simultaneously running
@@ -549,6 +591,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -630,6 +683,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -649,6 +706,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -679,6 +749,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -913,6 +993,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1223,6 +1320,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1282,6 +1380,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1323,6 +1423,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1404,6 +1507,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1908,6 +2020,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1942,6 +2056,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1969,6 +2091,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -2007,12 +2132,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -2020,6 +2147,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -2027,12 +2155,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2765,6 +2907,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2830,6 +2979,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2846,6 +2998,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3225,6 +3413,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat (there's a commented-out safety assessment for this one)
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ed15acd8f144cf7fab2cb273f29a678af72fee1d

commit ed15acd8f144cf7fab2cb273f29a678af72fee1d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4e7d13cc87a994e6738371f001e34d4304db738f

commit 4e7d13cc87a994e6738371f001e34d4304db738f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fe95a108afa92a848495f13bf1be98adf8eb7539

commit fe95a108afa92a848495f13bf1be98adf8eb7539
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d10d9de8dc6b4909fc2ffaca9df6c08f497fe430

commit d10d9de8dc6b4909fc2ffaca9df6c08f497fe430
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..a3c8fa5 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,6 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
@@ -127,6 +134,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +202,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +250,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +266,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +281,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +300,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +382,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +409,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3f8919133306d121a29dea94df850074c59c9327

commit 3f8919133306d121a29dea94df850074c59c9327
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index c720063..79bfcdb 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1348,6 +1359,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1375,6 +1391,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1624,6 +1642,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=acec40190ccb799a124103745f39b272f5c5afa2

commit acec40190ccb799a124103745f39b272f5c5afa2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f5408aef8fd0f838855b341cf29d4b3b0761ceae

commit f5408aef8fd0f838855b341cf29d4b3b0761ceae
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..c0cd350 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=aaf60aa78ffc0da9405c007a36e9b5ad89f4d7e0

commit aaf60aa78ffc0da9405c007a36e9b5ad89f4d7e0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:04 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..22e7b9e 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7c4730c50b3ca97da9c26b8a7b4b302efca2b730

commit 7c4730c50b3ca97da9c26b8a7b4b302efca2b730
Merge: ecbe0af 4e51ca6 d0b8f88
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:23:46 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ecbe0aff753e41d9b46550657d5ebddd79c81210

commit ecbe0aff753e41d9b46550657d5ebddd79c81210
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:23:46 2013 -0300

    refresh

diff --git a/meta b/meta
index 7af1e9b..db2cae7 100644
--- a/meta
+++ b/meta
@@ -1,11 +1,10 @@
 Version: 1
-Previous: 485f76b7b9c5f4375d8b28a566f5ab1b0f111e6d
-Head: 74c9e41f2c8561e8a8cc02e8655526580c3dd151
+Previous: d0b8f88b8fef816ebddf48f01bc0150e975b927f
+Head: 4e51ca6a99c605099f12a779df0d47cceeb4ae4f
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
-  manual-document-mt-safety.patch: cfd5bbe11be81bd19bd894478f09f14ddd746ac8
-  refresh-temp: 74c9e41f2c8561e8a8cc02e8655526580c3dd151
+  manual-document-mt-safety.patch: 4e51ca6a99c605099f12a779df0d47cceeb4ae4f
 Unapplied:
   manual-document-mt-safety-argp.patch: 091e1e16a3a7c50d382e0f9eee36d6d04bcd441a
   manual-document-mt-safety-arith.patch: 6dfda39adb1d84728fb4d392927fe32c70717f8c
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index 4c64009..2c9c0e9 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,5 +1,5 @@
 Bottom: 39cf8b6977e5b0eb658a937d498281477afa6821
-Top:    9dc17c777e87d9e8550bcf18a685ec2e017a008c
+Top:    bc51276153dccb4e0691cf1f0eb3c565579e39f7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:04 -0300
 
@@ -15,10 +15,10 @@ for  ChangeLog
 ---
 
 diff --git a/manual/intro.texi b/manual/intro.texi
-index deaf089..d183e12 100644
+index deaf089..c3142ad 100644
 --- a/manual/intro.texi
 +++ b/manual/intro.texi
-@@ -172,6 +172,412 @@ pattern matching facilities (@pxref{Pattern Matching}).
+@@ -172,6 +172,434 @@ pattern matching facilities (@pxref{Pattern Matching}).
  @comment <wordexp.h> (not yet implemented)
  @comment confstr
  
@@ -134,6 +134,28 @@ index deaf089..d183e12 100644
 +applies.
 +
 +
++@item @code{oncesafe}
++@cindex oncesafe
++
++Functions marked with @code{oncesafe} use the internal @code{libc_once}
++machinery to initialize internal data structures.
++
++If a signal handler interrupts such an initializer, and calls any
++function that also performs @code{libc_once} initialization, it will
++deadlock if the thread library is linked in.
++
++Furthermore, if an initializer is partially complete before it is
++canceled or interrupted by a signal whose handler requires the same
++initialization, some or all of the initialization may be performed more
++than once, leaking resources or even result in corrupt internal data
++structures.
++
++Applications that need to call functions marked with @code{oncesafe}
++should ensure the initialization is performed before configuring signal
++handlers or enabling cancellation, so that the AS- and AC-Safety issues
++related with @code{libc_once} do not arise.
++
++
 +@item @code{uunguard}
 +@cindex uunguard
 +
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index e7de08c..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,41 +0,0 @@
-Bottom: 9dc17c777e87d9e8550bcf18a685ec2e017a008c
-Top:    bc51276153dccb4e0691cf1f0eb3c565579e39f7
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-28 00:23:45 -0300
-
-Refresh of manual-document-mt-safety.patch
-
----
-
-diff --git a/manual/intro.texi b/manual/intro.texi
-index d183e12..c3142ad 100644
---- a/manual/intro.texi
-+++ b/manual/intro.texi
-@@ -284,6 +284,28 @@ access the environment are marked as MT-Safe when no other safety issue
- applies.
- 
- 
-+@item @code{oncesafe}
-+@cindex oncesafe
-+
-+Functions marked with @code{oncesafe} use the internal @code{libc_once}
-+machinery to initialize internal data structures.
-+
-+If a signal handler interrupts such an initializer, and calls any
-+function that also performs @code{libc_once} initialization, it will
-+deadlock if the thread library is linked in.
-+
-+Furthermore, if an initializer is partially complete before it is
-+canceled or interrupted by a signal whose handler requires the same
-+initialization, some or all of the initialization may be performed more
-+than once, leaking resources or even result in corrupt internal data
-+structures.
-+
-+Applications that need to call functions marked with @code{oncesafe}
-+should ensure the initialization is performed before configuring signal
-+handlers or enabling cancellation, so that the AS- and AC-Safety issues
-+related with @code{libc_once} do not arise.
-+
-+
- @item @code{uunguard}
- @cindex uunguard

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d0b8f88b8fef816ebddf48f01bc0150e975b927f

commit d0b8f88b8fef816ebddf48f01bc0150e975b927f
Merge: 94633f0 485f76b 74c9e41
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:23:46 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=94633f0c6ba66f79ebfde308d22f5f81edd948d3

commit 94633f0c6ba66f79ebfde308d22f5f81edd948d3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:23:46 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index d27d2de..7af1e9b 100644
--- a/meta
+++ b/meta
@@ -1,10 +1,11 @@
 Version: 1
-Previous: f1c163251b6c357ccacdec3328cb155295035dd1
-Head: cfd5bbe11be81bd19bd894478f09f14ddd746ac8
+Previous: 485f76b7b9c5f4375d8b28a566f5ab1b0f111e6d
+Head: 74c9e41f2c8561e8a8cc02e8655526580c3dd151
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
   manual-document-mt-safety.patch: cfd5bbe11be81bd19bd894478f09f14ddd746ac8
+  refresh-temp: 74c9e41f2c8561e8a8cc02e8655526580c3dd151
 Unapplied:
   manual-document-mt-safety-argp.patch: 091e1e16a3a7c50d382e0f9eee36d6d04bcd441a
   manual-document-mt-safety-arith.patch: 6dfda39adb1d84728fb4d392927fe32c70717f8c
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..e7de08c
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,41 @@
+Bottom: 9dc17c777e87d9e8550bcf18a685ec2e017a008c
+Top:    bc51276153dccb4e0691cf1f0eb3c565579e39f7
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-28 00:23:45 -0300
+
+Refresh of manual-document-mt-safety.patch
+
+---
+
+diff --git a/manual/intro.texi b/manual/intro.texi
+index d183e12..c3142ad 100644
+--- a/manual/intro.texi
++++ b/manual/intro.texi
+@@ -284,6 +284,28 @@ access the environment are marked as MT-Safe when no other safety issue
+ applies.
+ 
+ 
++@item @code{oncesafe}
++@cindex oncesafe
++
++Functions marked with @code{oncesafe} use the internal @code{libc_once}
++machinery to initialize internal data structures.
++
++If a signal handler interrupts such an initializer, and calls any
++function that also performs @code{libc_once} initialization, it will
++deadlock if the thread library is linked in.
++
++Furthermore, if an initializer is partially complete before it is
++canceled or interrupted by a signal whose handler requires the same
++initialization, some or all of the initialization may be performed more
++than once, leaking resources or even result in corrupt internal data
++structures.
++
++Applications that need to call functions marked with @code{oncesafe}
++should ensure the initialization is performed before configuring signal
++handlers or enabling cancellation, so that the AS- and AC-Safety issues
++related with @code{libc_once} do not arise.
++
++
+ @item @code{uunguard}
+ @cindex uunguard

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=74c9e41f2c8561e8a8cc02e8655526580c3dd151

commit 74c9e41f2c8561e8a8cc02e8655526580c3dd151
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:23:45 2013 -0300

    Refresh of manual-document-mt-safety.patch

diff --git a/manual/intro.texi b/manual/intro.texi
index d183e12..c3142ad 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -284,6 +284,28 @@ access the environment are marked as MT-Safe when no other safety issue
 applies.
 
 
+@item @code{oncesafe}
+@cindex oncesafe
+
+Functions marked with @code{oncesafe} use the internal @code{libc_once}
+machinery to initialize internal data structures.
+
+If a signal handler interrupts such an initializer, and calls any
+function that also performs @code{libc_once} initialization, it will
+deadlock if the thread library is linked in.
+
+Furthermore, if an initializer is partially complete before it is
+canceled or interrupted by a signal whose handler requires the same
+initialization, some or all of the initialization may be performed more
+than once, leaking resources or even result in corrupt internal data
+structures.
+
+Applications that need to call functions marked with @code{oncesafe}
+should ensure the initialization is performed before configuring signal
+handlers or enabling cancellation, so that the AS- and AC-Safety issues
+related with @code{libc_once} do not arise.
+
+
 @item @code{uunguard}
 @cindex uunguard
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=485f76b7b9c5f4375d8b28a566f5ab1b0f111e6d

commit 485f76b7b9c5f4375d8b28a566f5ab1b0f111e6d
Merge: 188dbd8 f1c1632
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:07:40 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=188dbd8d9ec342bdf6a10644f27e65a9117c50c7

commit 188dbd8d9ec342bdf6a10644f27e65a9117c50c7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:07:40 2013 -0300

    goto

diff --git a/meta b/meta
index 462c6b2..d27d2de 100644
--- a/meta
+++ b/meta
@@ -1,10 +1,11 @@
 Version: 1
-Previous: 037213016d6ba4fd70e0026d0c92c4ce1ea3372a
-Head: 3f6a86b4b41552229bec8e2e30c2f20b6e0cefa4
+Previous: f1c163251b6c357ccacdec3328cb155295035dd1
+Head: cfd5bbe11be81bd19bd894478f09f14ddd746ac8
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
   manual-document-mt-safety.patch: cfd5bbe11be81bd19bd894478f09f14ddd746ac8
+Unapplied:
   manual-document-mt-safety-argp.patch: 091e1e16a3a7c50d382e0f9eee36d6d04bcd441a
   manual-document-mt-safety-arith.patch: 6dfda39adb1d84728fb4d392927fe32c70717f8c
   manual-document-mt-safety-charset.patch: b58ef1fd4f0b6a89317ebce875a8c6217da8e8fa
@@ -20,7 +21,6 @@ Applied:
   manual-document-mt-safety-lang.patch: df244861d2cc8225a441c53b523f53150727ae62
   manual-document-mt-safety-llio.patch: bf5c49825fd31327a529399b2400a6e592bbee3a
   manual-document-mt-safety-stdio.patch: 3f6a86b4b41552229bec8e2e30c2f20b6e0cefa4
-Unapplied:
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-resource.patch: fc558f0f09d7886fab6a27dd914edd28b2e785c0
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f1c163251b6c357ccacdec3328cb155295035dd1

commit f1c163251b6c357ccacdec3328cb155295035dd1
Merge: faaec83 3f6a86b 0372130
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:05:53 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=faaec835d4c9258cdd77aa767c877f463abc1a09

commit faaec835d4c9258cdd77aa767c877f463abc1a09
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:05:53 2013 -0300

    refresh

diff --git a/meta b/meta
index 0db42cb..462c6b2 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7574e9059a8db40c3176785ed56703a0bdb7d7a5
-Head: 0ffbdee50057721a4cf1939a2cb3604e1bd3bd08
+Previous: 037213016d6ba4fd70e0026d0c92c4ce1ea3372a
+Head: 3f6a86b4b41552229bec8e2e30c2f20b6e0cefa4
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -19,8 +19,7 @@ Applied:
   manual-document-mt-safety-job.patch: 1302198bf7ea242f1be035891c34507df7fa27e7
   manual-document-mt-safety-lang.patch: df244861d2cc8225a441c53b523f53150727ae62
   manual-document-mt-safety-llio.patch: bf5c49825fd31327a529399b2400a6e592bbee3a
-  manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
-  refresh-temp: 0ffbdee50057721a4cf1939a2cb3604e1bd3bd08
+  manual-document-mt-safety-stdio.patch: 3f6a86b4b41552229bec8e2e30c2f20b6e0cefa4
 Unapplied:
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-resource.patch: fc558f0f09d7886fab6a27dd914edd28b2e785c0
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index f0316b1..cd7fc3b 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
 Bottom: 93d7801d18acd26c49da4772fbbaa130e15e8c35
-Top:    e50028beb84ad6b675a13f914ea7f6020b0041fb
+Top:    255dc76dfd1273775d159fe84d9f9ff35f7d5184
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/stdio.texi b/manual/stdio.texi
-index 3f9be9bc5..79a3340 100644
+index 3f9be9bc5..5667af3 100644
 --- a/manual/stdio.texi
 +++ b/manual/stdio.texi
 @@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
@@ -452,23 +452,29 @@ index 3f9be9bc5..79a3340 100644
  This function reads a word (that is, an @code{int}) from @var{stream}.
  It's provided for compatibility with SVID.  We recommend you use
  @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
-@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
+@@ -1173,6 +1280,12 @@ All these functions are declared in @file{stdio.h}.
  @comment stdio.h
  @comment GNU
  @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
-+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
++@c Besides the usual possibility of getting an inconsistent stream in a
++@c signal handler or leaving it inconsistent in case of cancellation,
++@c the possibility of leaving a dangling pointer upon cancellation
++@c between reallocing the buffer at *lineptr and updating the pointer
++@c brings about another case of incansist.
  This function reads an entire line from @var{stream}, storing the text
  (including the newline and a terminating null character) in a buffer
  and storing the buffer address in @code{*@var{lineptr}}.
-@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
+@@ -1208,6 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
  @comment stdio.h
  @comment GNU
  @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
-+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
++@c See the getline incansist note.
  This function is like @code{getline} except that the character which
  tells it to stop reading is not necessarily newline.  The argument
  @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
-@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
+@@ -1232,6 +1347,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
  @comment stdio.h
  @comment ISO
  @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
@@ -476,7 +482,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{fgets} function reads characters from the stream @var{stream}
  up to and including a newline character and stores them in the string
  @var{s}, adding a null character to mark the end of the string.  You
-@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
+@@ -1255,6 +1371,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
  @comment wchar.h
  @comment ISO
  @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
@@ -484,7 +490,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{fgetws} function reads wide characters from the stream
  @var{stream} up to and including a newline character and stores them in
  the string @var{ws}, adding a null wide character to mark the end of the
-@@ -1280,6 +1391,7 @@ message.
+@@ -1280,6 +1397,7 @@ message.
  @comment stdio.h
  @comment GNU
  @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
@@ -492,7 +498,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{fgets_unlocked} function is equivalent to the @code{fgets}
  function except that it does not implicitly lock the stream.
  
-@@ -1289,6 +1401,7 @@ This function is a GNU extension.
+@@ -1289,6 +1407,7 @@ This function is a GNU extension.
  @comment wchar.h
  @comment GNU
  @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
@@ -500,7 +506,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
  function except that it does not implicitly lock the stream.
  
-@@ -1298,6 +1411,7 @@ This function is a GNU extension.
+@@ -1298,6 +1417,7 @@ This function is a GNU extension.
  @comment stdio.h
  @comment ISO
  @deftypefn {Deprecated function} {char *} gets (char *@var{s})
@@ -508,7 +514,7 @@ index 3f9be9bc5..79a3340 100644
  The function @code{gets} reads characters from the stream @code{stdin}
  up to the next newline character, and stores them in the string @var{s}.
  The newline character is discarded (note that this differs from the
-@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
+@@ -1388,6 +1508,7 @@ reverses the action of @code{getc}.
  @comment stdio.h
  @comment ISO
  @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
@@ -516,7 +522,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{ungetc} function pushes back the character @var{c} onto the
  input stream @var{stream}.  So the next input from @var{stream} will
  read @var{c} before anything else.
-@@ -1425,6 +1540,7 @@ will encounter end of file.
+@@ -1425,6 +1546,7 @@ will encounter end of file.
  @comment wchar.h
  @comment ISO
  @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
@@ -524,7 +530,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{ungetwc} function behaves just like @code{ungetc} just that it
  pushes back a wide character.
  @end deftypefun
-@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
+@@ -1483,6 +1605,7 @@ These functions are declared in @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
@@ -532,7 +538,7 @@ index 3f9be9bc5..79a3340 100644
  This function reads up to @var{count} objects of size @var{size} into
  the array @var{data}, from the stream @var{stream}.  It returns the
  number of objects actually read, which might be less than @var{count} if
-@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
+@@ -1498,6 +1621,7 @@ object.  Therefore, the stream remains at the actual end of the file.
  @comment stdio.h
  @comment GNU
  @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
@@ -540,7 +546,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{fread_unlocked} function is equivalent to the @code{fread}
  function except that it does not implicitly lock the stream.
  
-@@ -1507,6 +1625,7 @@ This function is a GNU extension.
+@@ -1507,6 +1631,7 @@ This function is a GNU extension.
  @comment stdio.h
  @comment ISO
  @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
@@ -548,7 +554,7 @@ index 3f9be9bc5..79a3340 100644
  This function writes up to @var{count} objects of size @var{size} from
  the array @var{data}, to the stream @var{stream}.  The return value is
  normally @var{count}, if the call succeeds.  Any other value indicates
-@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
+@@ -1516,6 +1641,7 @@ some sort of error, such as running out of space.
  @comment stdio.h
  @comment GNU
  @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
@@ -556,7 +562,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
  function except that it does not implicitly lock the stream.
  
-@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
+@@ -2257,6 +2383,7 @@ just include @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int printf (const char *@var{template}, @dots{})
@@ -564,7 +570,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{printf} function prints the optional arguments under the
  control of the template string @var{template} to the stream
  @code{stdout}.  It returns the number of characters printed, or a
-@@ -2266,6 +2387,7 @@ negative value if there was an output error.
+@@ -2266,6 +2393,7 @@ negative value if there was an output error.
  @comment wchar.h
  @comment ISO
  @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
@@ -572,7 +578,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{wprintf} function prints the optional arguments under the
  control of the wide template string @var{template} to the stream
  @code{stdout}.  It returns the number of wide characters printed, or a
-@@ -2275,6 +2397,7 @@ negative value if there was an output error.
+@@ -2275,6 +2403,7 @@ negative value if there was an output error.
  @comment stdio.h
  @comment ISO
  @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
@@ -580,7 +586,7 @@ index 3f9be9bc5..79a3340 100644
  This function is just like @code{printf}, except that the output is
  written to the stream @var{stream} instead of @code{stdout}.
  @end deftypefun
-@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
+@@ -2282,6 +2411,7 @@ written to the stream @var{stream} instead of @code{stdout}.
  @comment wchar.h
  @comment ISO
  @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
@@ -588,7 +594,7 @@ index 3f9be9bc5..79a3340 100644
  This function is just like @code{wprintf}, except that the output is
  written to the stream @var{stream} instead of @code{stdout}.
  @end deftypefun
-@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
+@@ -2289,6 +2419,7 @@ written to the stream @var{stream} instead of @code{stdout}.
  @comment stdio.h
  @comment ISO
  @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
@@ -596,7 +602,7 @@ index 3f9be9bc5..79a3340 100644
  This is like @code{printf}, except that the output is stored in the character
  array @var{s} instead of written to a stream.  A null character is written
  to mark the end of the string.
-@@ -2313,6 +2438,7 @@ described below.
+@@ -2313,6 +2444,7 @@ described below.
  @comment wchar.h
  @comment GNU
  @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
@@ -604,7 +610,7 @@ index 3f9be9bc5..79a3340 100644
  This is like @code{wprintf}, except that the output is stored in the
  wide character array @var{ws} instead of written to a stream.  A null
  wide character is written to mark the end of the string.  The @var{size}
-@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
+@@ -2337,6 +2469,7 @@ again and decided to not define an function exactly corresponding to
  @comment stdio.h
  @comment GNU
  @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
@@ -612,7 +618,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{snprintf} function is similar to @code{sprintf}, except that
  the @var{size} argument specifies the maximum number of characters to
  produce.  The trailing null character is counted towards this limit, so
-@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
+@@ -2407,6 +2540,7 @@ in dynamically allocated memory.
  @comment stdio.h
  @comment GNU
  @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
@@ -620,7 +626,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{sprintf}, except that it dynamically
  allocates a string (as with @code{malloc}; @pxref{Unconstrained
  Allocation}) to hold the output, instead of putting the output in a
-@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
+@@ -2439,6 +2573,7 @@ make_message (char *name, char *value)
  @comment stdio.h
  @comment GNU
  @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
@@ -628,7 +634,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{asprintf}, except that it uses the
  obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
  
-@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
+@@ -2509,6 +2644,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
@@ -636,7 +642,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{printf} except that, instead of taking
  a variable number of arguments directly, it takes an argument list
  pointer @var{ap}.
-@@ -2517,6 +2647,7 @@ pointer @var{ap}.
+@@ -2517,6 +2653,7 @@ pointer @var{ap}.
  @comment wchar.h
  @comment ISO
  @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
@@ -644,7 +650,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{wprintf} except that, instead of taking
  a variable number of arguments directly, it takes an argument list
  pointer @var{ap}.
-@@ -2525,6 +2656,48 @@ pointer @var{ap}.
+@@ -2525,6 +2662,48 @@ pointer @var{ap}.
  @comment stdio.h
  @comment ISO
  @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
@@ -693,7 +699,7 @@ index 3f9be9bc5..79a3340 100644
  This is the equivalent of @code{fprintf} with the variable argument list
  specified directly as for @code{vprintf}.
  @end deftypefun
-@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
+@@ -2532,6 +2711,7 @@ specified directly as for @code{vprintf}.
  @comment wchar.h
  @comment ISO
  @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
@@ -701,7 +707,7 @@ index 3f9be9bc5..79a3340 100644
  This is the equivalent of @code{fwprintf} with the variable argument list
  specified directly as for @code{vwprintf}.
  @end deftypefun
-@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
+@@ -2539,6 +2719,7 @@ specified directly as for @code{vwprintf}.
  @comment stdio.h
  @comment ISO
  @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
@@ -709,7 +715,7 @@ index 3f9be9bc5..79a3340 100644
  This is the equivalent of @code{sprintf} with the variable argument list
  specified directly as for @code{vprintf}.
  @end deftypefun
-@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
+@@ -2546,6 +2727,7 @@ specified directly as for @code{vprintf}.
  @comment wchar.h
  @comment GNU
  @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
@@ -717,7 +723,7 @@ index 3f9be9bc5..79a3340 100644
  This is the equivalent of @code{swprintf} with the variable argument list
  specified directly as for @code{vwprintf}.
  @end deftypefun
-@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
+@@ -2553,6 +2735,7 @@ specified directly as for @code{vwprintf}.
  @comment stdio.h
  @comment GNU
  @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
@@ -725,7 +731,7 @@ index 3f9be9bc5..79a3340 100644
  This is the equivalent of @code{snprintf} with the variable argument list
  specified directly as for @code{vprintf}.
  @end deftypefun
-@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
+@@ -2560,6 +2743,7 @@ specified directly as for @code{vprintf}.
  @comment stdio.h
  @comment GNU
  @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
@@ -733,7 +739,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{vasprintf} function is the equivalent of @code{asprintf} with the
  variable argument list specified directly as for @code{vprintf}.
  @end deftypefun
-@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
+@@ -2567,6 +2751,10 @@ variable argument list specified directly as for @code{vprintf}.
  @comment stdio.h
  @comment GNU
  @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
@@ -744,7 +750,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{obstack_vprintf} function is the equivalent of
  @code{obstack_printf} with the variable argument list specified directly
  as for @code{vprintf}.@refill
-@@ -2639,6 +2821,7 @@ file @file{printf.h}.
+@@ -2639,6 +2827,7 @@ file @file{printf.h}.
  @comment printf.h
  @comment GNU
  @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
@@ -752,7 +758,7 @@ index 3f9be9bc5..79a3340 100644
  This function returns information about the number and types of
  arguments expected by the @code{printf} template string @var{template}.
  The information is stored in the array @var{argtypes}; each element of
-@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
+@@ -2879,6 +3068,12 @@ The function to register a new output conversion is
  @comment printf.h
  @comment GNU
  @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
@@ -765,7 +771,7 @@ index 3f9be9bc5..79a3340 100644
  This function defines the conversion specifier character @var{spec}.
  Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
  You can redefine the built-in conversions like @samp{%s}, but flag
-@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
+@@ -3125,6 +3320,12 @@ which implement a special way to print floating-point numbers.
  @comment printf.h
  @comment GNU
  @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
@@ -778,7 +784,7 @@ index 3f9be9bc5..79a3340 100644
  Print a given floating point number as for the format @code{%f} except
  that there is a postfix character indicating the divisor for the
  number to make this less than 1000.  There are two possible divisors:
-@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
+@@ -3183,6 +3384,7 @@ provide the function which returns information about the arguments.
  @comment printf.h
  @comment GNU
  @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
@@ -786,7 +792,7 @@ index 3f9be9bc5..79a3340 100644
  This function will return in @var{argtypes} the information about the
  used parameters in the way the @code{vfprintf} implementation expects
  it.  The format always takes one argument.
-@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
+@@ -3799,6 +4001,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int scanf (const char *@var{template}, @dots{})
@@ -794,7 +800,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{scanf} function reads formatted input from the stream
  @code{stdin} under the control of the template string @var{template}.
  The optional arguments are pointers to the places which receive the
-@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
+@@ -3813,6 +4016,7 @@ template, then @code{EOF} is returned.
  @comment wchar.h
  @comment ISO
  @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
@@ -802,7 +808,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{wscanf} function reads formatted input from the stream
  @code{stdin} under the control of the template string @var{template}.
  The optional arguments are pointers to the places which receive the
-@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
+@@ -3827,6 +4031,7 @@ template, then @code{WEOF} is returned.
  @comment stdio.h
  @comment ISO
  @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
@@ -810,7 +816,7 @@ index 3f9be9bc5..79a3340 100644
  This function is just like @code{scanf}, except that the input is read
  from the stream @var{stream} instead of @code{stdin}.
  @end deftypefun
-@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
+@@ -3834,6 +4039,7 @@ from the stream @var{stream} instead of @code{stdin}.
  @comment wchar.h
  @comment ISO
  @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
@@ -818,7 +824,7 @@ index 3f9be9bc5..79a3340 100644
  This function is just like @code{wscanf}, except that the input is read
  from the stream @var{stream} instead of @code{stdin}.
  @end deftypefun
-@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
+@@ -3841,6 +4047,7 @@ from the stream @var{stream} instead of @code{stdin}.
  @comment stdio.h
  @comment ISO
  @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
@@ -826,7 +832,7 @@ index 3f9be9bc5..79a3340 100644
  This is like @code{scanf}, except that the characters are taken from the
  null-terminated string @var{s} instead of from a stream.  Reaching the
  end of the string is treated as an end-of-file condition.
-@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
+@@ -3854,6 +4061,7 @@ as an argument to receive a string read under control of the @samp{%s},
  @comment wchar.h
  @comment ISO
  @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
@@ -834,7 +840,7 @@ index 3f9be9bc5..79a3340 100644
  This is like @code{wscanf}, except that the characters are taken from the
  null-terminated string @var{ws} instead of from a stream.  Reaching the
  end of the string is treated as an end-of-file condition.
-@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
+@@ -3880,6 +4088,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
  @comment stdio.h
  @comment ISO
  @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
@@ -842,7 +848,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{scanf}, but instead of taking
  a variable number of arguments directly, it takes an argument list
  pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
-@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
+@@ -3888,6 +4097,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
  @comment wchar.h
  @comment ISO
  @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
@@ -850,7 +856,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{wscanf}, but instead of taking
  a variable number of arguments directly, it takes an argument list
  pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
-@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
+@@ -3896,6 +4106,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
  @comment stdio.h
  @comment ISO
  @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
@@ -858,7 +864,7 @@ index 3f9be9bc5..79a3340 100644
  This is the equivalent of @code{fscanf} with the variable argument list
  specified directly as for @code{vscanf}.
  @end deftypefun
-@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
+@@ -3903,6 +4114,7 @@ specified directly as for @code{vscanf}.
  @comment wchar.h
  @comment ISO
  @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
@@ -866,7 +872,7 @@ index 3f9be9bc5..79a3340 100644
  This is the equivalent of @code{fwscanf} with the variable argument list
  specified directly as for @code{vwscanf}.
  @end deftypefun
-@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
+@@ -3910,6 +4122,7 @@ specified directly as for @code{vwscanf}.
  @comment stdio.h
  @comment ISO
  @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
@@ -874,7 +880,7 @@ index 3f9be9bc5..79a3340 100644
  This is the equivalent of @code{sscanf} with the variable argument list
  specified directly as for @code{vscanf}.
  @end deftypefun
-@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
+@@ -3917,6 +4130,7 @@ specified directly as for @code{vscanf}.
  @comment wchar.h
  @comment ISO
  @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
@@ -882,7 +888,7 @@ index 3f9be9bc5..79a3340 100644
  This is the equivalent of @code{swscanf} with the variable argument list
  specified directly as for @code{vwscanf}.
  @end deftypefun
-@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
+@@ -3966,6 +4180,7 @@ This symbol is declared in @file{wchar.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int feof (FILE *@var{stream})
@@ -890,7 +896,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{feof} function returns nonzero if and only if the end-of-file
  indicator for the stream @var{stream} is set.
  
-@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
+@@ -3975,6 +4190,9 @@ This symbol is declared in @file{stdio.h}.
  @comment stdio.h
  @comment GNU
  @deftypefun int feof_unlocked (FILE *@var{stream})
@@ -900,7 +906,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{feof_unlocked} function is equivalent to the @code{feof}
  function except that it does not implicitly lock the stream.
  
-@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
+@@ -3986,6 +4204,7 @@ This symbol is declared in @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int ferror (FILE *@var{stream})
@@ -908,7 +914,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{ferror} function returns nonzero if and only if the error
  indicator for the stream @var{stream} is set, indicating that an error
  has occurred on a previous operation on the stream.
-@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
+@@ -3996,6 +4215,7 @@ This symbol is declared in @file{stdio.h}.
  @comment stdio.h
  @comment GNU
  @deftypefun int ferror_unlocked (FILE *@var{stream})
@@ -916,7 +922,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{ferror_unlocked} function is equivalent to the @code{ferror}
  function except that it does not implicitly lock the stream.
  
-@@ -4023,6 +4237,7 @@ function.
+@@ -4023,6 +4243,7 @@ function.
  @comment stdio.h
  @comment ISO
  @deftypefun void clearerr (FILE *@var{stream})
@@ -924,7 +930,7 @@ index 3f9be9bc5..79a3340 100644
  This function clears the end-of-file and error indicators for the
  stream @var{stream}.
  
-@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
+@@ -4033,6 +4254,7 @@ end-of-file indicator for the stream.
  @comment stdio.h
  @comment GNU
  @deftypefun void clearerr_unlocked (FILE *@var{stream})
@@ -932,7 +938,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
  function except that it does not implicitly lock the stream.
  
-@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
+@@ -4146,6 +4368,7 @@ are declared in the header file @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun {long int} ftell (FILE *@var{stream})
@@ -940,7 +946,7 @@ index 3f9be9bc5..79a3340 100644
  This function returns the current file position of the stream
  @var{stream}.
  
-@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
+@@ -4158,6 +4381,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
  @comment stdio.h
  @comment Unix98
  @deftypefun off_t ftello (FILE *@var{stream})
@@ -948,7 +954,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{ftello} function is similar to @code{ftell}, except that it
  returns a value of type @code{off_t}.  Systems which support this type
  use it to describe all file positions, unlike the POSIX specification
-@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
+@@ -4181,6 +4405,7 @@ LFS interface transparently replaces the old interface.
  @comment stdio.h
  @comment Unix98
  @deftypefun off64_t ftello64 (FILE *@var{stream})
@@ -956,7 +962,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{ftello} with the only difference that
  the return value is of type @code{off64_t}.  This also requires that the
  stream @var{stream} was opened using either @code{fopen64},
-@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
+@@ -4196,6 +4421,7 @@ and so transparently replaces the old interface.
  @comment stdio.h
  @comment ISO
  @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
@@ -964,7 +970,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{fseek} function is used to change the file position of the
  stream @var{stream}.  The value of @var{whence} must be one of the
  constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
-@@ -4215,6 +4435,7 @@ place in the file.
+@@ -4215,6 +4441,7 @@ place in the file.
  @comment stdio.h
  @comment Unix98
  @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
@@ -972,7 +978,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{fseek} but it corrects a problem with
  @code{fseek} in a system with POSIX types.  Using a value of type
  @code{long int} for the offset is not compatible with POSIX.
-@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
+@@ -4238,6 +4465,7 @@ LFS interface transparently replaces the old interface.
  @comment stdio.h
  @comment Unix98
  @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
@@ -980,7 +986,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{fseeko} with the only difference that
  the @var{offset} parameter is of type @code{off64_t}.  This also
  requires that the stream @var{stream} was opened using either
-@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
+@@ -4286,6 +4514,7 @@ the offset provided is relative to the end of the file.
  @comment stdio.h
  @comment ISO
  @deftypefun void rewind (FILE *@var{stream})
@@ -988,7 +994,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{rewind} function positions the stream @var{stream} at the
  beginning of the file.  It is equivalent to calling @code{fseek} or
  @code{fseeko} on the @var{stream} with an @var{offset} argument of
-@@ -4407,6 +4630,7 @@ representation.
+@@ -4407,6 +4636,7 @@ representation.
  @comment stdio.h
  @comment ISO
  @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
@@ -996,7 +1002,7 @@ index 3f9be9bc5..79a3340 100644
  This function stores the value of the file position indicator for the
  stream @var{stream} in the @code{fpos_t} object pointed to by
  @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
-@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
+@@ -4421,6 +4651,7 @@ interface transparently replaces the old interface.
  @comment stdio.h
  @comment Unix98
  @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
@@ -1004,7 +1010,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{fgetpos} but the file position is
  returned in a variable of type @code{fpos64_t} to which @var{position}
  points.
-@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
+@@ -4433,6 +4664,7 @@ and so transparently replaces the old interface.
  @comment stdio.h
  @comment ISO
  @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
@@ -1012,7 +1018,7 @@ index 3f9be9bc5..79a3340 100644
  This function sets the file position indicator for the stream @var{stream}
  to the position @var{position}, which must have been set by a previous
  call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
-@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
+@@ -4449,6 +4681,7 @@ interface transparently replaces the old interface.
  @comment stdio.h
  @comment Unix98
  @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
@@ -1020,7 +1026,7 @@ index 3f9be9bc5..79a3340 100644
  This function is similar to @code{fsetpos} but the file position used
  for positioning is provided in a variable of type @code{fpos64_t} to
  which @var{position} points.
-@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
+@@ -4560,6 +4793,7 @@ If you want to flush the buffered output at another time, call
  @comment stdio.h
  @comment ISO
  @deftypefun int fflush (FILE *@var{stream})
@@ -1028,7 +1034,7 @@ index 3f9be9bc5..79a3340 100644
  This function causes any buffered output on @var{stream} to be delivered
  to the file.  If @var{stream} is a null pointer, then
  @code{fflush} causes buffered output on @emph{all} open output streams
-@@ -4572,6 +4800,7 @@ otherwise.
+@@ -4572,6 +4806,7 @@ otherwise.
  @comment stdio.h
  @comment POSIX
  @deftypefun int fflush_unlocked (FILE *@var{stream})
@@ -1036,7 +1042,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{fflush_unlocked} function is equivalent to the @code{fflush}
  function except that it does not implicitly lock the stream.
  @end deftypefun
-@@ -4588,6 +4817,7 @@ exported.
+@@ -4588,6 +4823,7 @@ exported.
  @comment stdio_ext.h
  @comment GNU
  @deftypefun void _flushlbf (void)
@@ -1044,7 +1050,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{_flushlbf} function flushes all line buffered streams
  currently opened.
  
-@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
+@@ -4609,6 +4845,7 @@ situation a non-standard function introduced in Solaris and available in
  @comment stdio_ext.h
  @comment GNU
  @deftypefun void __fpurge (FILE *@var{stream})
@@ -1052,7 +1058,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{__fpurge} function causes the buffer of the stream
  @var{stream} to be emptied.  If the stream is currently in read mode all
  input in the buffer is lost.  If the stream is in output mode the
-@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
+@@ -4633,6 +4870,7 @@ file @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
@@ -1060,7 +1066,7 @@ index 3f9be9bc5..79a3340 100644
  This function is used to specify that the stream @var{stream} should
  have the buffering mode @var{mode}, which can be either @code{_IOFBF}
  (for full buffering), @code{_IOLBF} (for line buffering), or
-@@ -4710,6 +4942,7 @@ efficient size.
+@@ -4710,6 +4948,7 @@ efficient size.
  @comment stdio.h
  @comment ISO
  @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
@@ -1068,7 +1074,7 @@ index 3f9be9bc5..79a3340 100644
  If @var{buf} is a null pointer, the effect of this function is
  equivalent to calling @code{setvbuf} with a @var{mode} argument of
  @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
-@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
+@@ -4723,6 +4962,7 @@ use @code{setvbuf} in all new programs.
  @comment stdio.h
  @comment BSD
  @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
@@ -1076,7 +1082,7 @@ index 3f9be9bc5..79a3340 100644
  If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
  Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
  buffer.  The @var{size} argument specifies the length of @var{buf}.
-@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
+@@ -4734,6 +4974,7 @@ This function is provided for compatibility with old BSD code.  Use
  @comment stdio.h
  @comment BSD
  @deftypefun void setlinebuf (FILE *@var{stream})
@@ -1084,7 +1090,7 @@ index 3f9be9bc5..79a3340 100644
  This function makes @var{stream} be line buffered, and allocates the
  buffer for you.
  
-@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
+@@ -4748,6 +4989,7 @@ using a non-standard function introduced in Solaris and available in
  @comment stdio_ext.h
  @comment GNU
  @deftypefun int __flbf (FILE *@var{stream})
@@ -1092,7 +1098,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{__flbf} function will return a nonzero value in case the
  stream @var{stream} is line buffered.  Otherwise the return value is
  zero.
-@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
+@@ -4761,6 +5003,7 @@ much of it is used.  These functions were also introduced in Solaris.
  @comment stdio_ext.h
  @comment GNU
  @deftypefun size_t __fbufsize (FILE *@var{stream})
@@ -1100,7 +1106,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{__fbufsize} function return the size of the buffer in the
  stream @var{stream}.  This value can be used to optimize the use of the
  stream.
-@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
+@@ -4771,6 +5014,7 @@ This function is declared in the @file{stdio_ext.h} header.
  @comment stdio_ext.h
  @comment GNU
  @deftypefun size_t __fpending (FILE *@var{stream})
@@ -1108,7 +1114,7 @@ index 3f9be9bc5..79a3340 100644
  The @code{__fpending}
  function returns the number of bytes currently in the output buffer.
  For wide-oriented stream the measuring unit is wide characters.  This
-@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
+@@ -4818,6 +5062,10 @@ I/O to a string or memory buffer.  These facilities are declared in
  @comment stdio.h
  @comment GNU
  @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
@@ -1119,7 +1125,7 @@ index 3f9be9bc5..79a3340 100644
  This function opens a stream that allows the access specified by the
  @var{opentype} argument, that reads from or writes to the buffer specified
  by the argument @var{buf}.  This array must be at least @var{size} bytes long.
-@@ -4870,6 +5112,7 @@ Got r
+@@ -4870,6 +5118,7 @@ Got r
  @comment stdio.h
  @comment GNU
  @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
@@ -1127,7 +1133,7 @@ index 3f9be9bc5..79a3340 100644
  This function opens a stream for writing to a buffer.  The buffer is
  allocated dynamically and grown as necessary, using @code{malloc}.
  After you've closed the stream, this buffer is your responsibility to
-@@ -4985,6 +5228,7 @@ closed.
+@@ -4985,6 +5234,7 @@ closed.
  @comment stdio.h
  @comment GNU
  @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
@@ -1135,7 +1141,7 @@ index 3f9be9bc5..79a3340 100644
  This function actually creates the stream for communicating with the
  @var{cookie} using the functions in the @var{io-functions} argument.
  The @var{opentype} argument is interpreted as for @code{fopen};
-@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
+@@ -5166,6 +5416,7 @@ It is a non-recoverable error.
  @comment fmtmsg.h
  @comment XPG
  @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
@@ -1143,7 +1149,7 @@ index 3f9be9bc5..79a3340 100644
  Display a message described by its parameters on the device(s) specified
  in the @var{classification} parameter.  The @var{label} parameter
  identifies the source of the message.  The string should consist of two
-@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
+@@ -5306,6 +5557,7 @@ introducing new classes in a running program.  One could use the
  but this is toilsome.
  
  @deftypefun int addseverity (int @var{severity}, const char *@var{string})
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 4c047be..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,37 +0,0 @@
-Bottom: e50028beb84ad6b675a13f914ea7f6020b0041fb
-Top:    255dc76dfd1273775d159fe84d9f9ff35f7d5184
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-28 00:05:52 -0300
-
-Refresh of manual-document-mt-safety-stdio.patch
-
----
-
-diff --git a/manual/stdio.texi b/manual/stdio.texi
-index 79a3340..5667af3 100644
---- a/manual/stdio.texi
-+++ b/manual/stdio.texi
-@@ -1280,7 +1280,12 @@ All these functions are declared in @file{stdio.h}.
- @comment stdio.h
- @comment GNU
- @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
--@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
-+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
-+@c Besides the usual possibility of getting an inconsistent stream in a
-+@c signal handler or leaving it inconsistent in case of cancellation,
-+@c the possibility of leaving a dangling pointer upon cancellation
-+@c between reallocing the buffer at *lineptr and updating the pointer
-+@c brings about another case of incansist.
- This function reads an entire line from @var{stream}, storing the text
- (including the newline and a terminating null character) in a buffer
- and storing the buffer address in @code{*@var{lineptr}}.
-@@ -1316,7 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
- @comment stdio.h
- @comment GNU
- @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
--@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
-+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
-+@c See the getline incansist note.
- This function is like @code{getline} except that the character which
- tells it to stop reading is not necessarily newline.  The argument
- @var{delimiter} specifies the delimiter character; @code{getdelim} keeps

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=037213016d6ba4fd70e0026d0c92c4ce1ea3372a

commit 037213016d6ba4fd70e0026d0c92c4ce1ea3372a
Merge: 7c5d1a3 7574e90 0ffbdee
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:05:53 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7c5d1a3e8b6fddd426f720888452bfe0145b3c66

commit 7c5d1a3e8b6fddd426f720888452bfe0145b3c66
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:05:53 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index adebb39..0db42cb 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 8fede8f0d0f41c2ad3c321923844ed00a317258f
-Head: 8d679074193b580e3ea1b810b03b6c976a47f9cd
+Previous: 7574e9059a8db40c3176785ed56703a0bdb7d7a5
+Head: 0ffbdee50057721a4cf1939a2cb3604e1bd3bd08
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -20,6 +20,7 @@ Applied:
   manual-document-mt-safety-lang.patch: df244861d2cc8225a441c53b523f53150727ae62
   manual-document-mt-safety-llio.patch: bf5c49825fd31327a529399b2400a6e592bbee3a
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
+  refresh-temp: 0ffbdee50057721a4cf1939a2cb3604e1bd3bd08
 Unapplied:
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-resource.patch: fc558f0f09d7886fab6a27dd914edd28b2e785c0
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..4c047be
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,37 @@
+Bottom: e50028beb84ad6b675a13f914ea7f6020b0041fb
+Top:    255dc76dfd1273775d159fe84d9f9ff35f7d5184
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-28 00:05:52 -0300
+
+Refresh of manual-document-mt-safety-stdio.patch
+
+---
+
+diff --git a/manual/stdio.texi b/manual/stdio.texi
+index 79a3340..5667af3 100644
+--- a/manual/stdio.texi
++++ b/manual/stdio.texi
+@@ -1280,7 +1280,12 @@ All these functions are declared in @file{stdio.h}.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+-@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
++@c Besides the usual possibility of getting an inconsistent stream in a
++@c signal handler or leaving it inconsistent in case of cancellation,
++@c the possibility of leaving a dangling pointer upon cancellation
++@c between reallocing the buffer at *lineptr and updating the pointer
++@c brings about another case of incansist.
+ This function reads an entire line from @var{stream}, storing the text
+ (including the newline and a terminating null character) in a buffer
+ and storing the buffer address in @code{*@var{lineptr}}.
+@@ -1316,7 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
+ @comment stdio.h
+ @comment GNU
+ @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+-@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
++@c See the getline incansist note.
+ This function is like @code{getline} except that the character which
+ tells it to stop reading is not necessarily newline.  The argument
+ @var{delimiter} specifies the delimiter character; @code{getdelim} keeps

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0ffbdee50057721a4cf1939a2cb3604e1bd3bd08

commit 0ffbdee50057721a4cf1939a2cb3604e1bd3bd08
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Aug 28 00:05:52 2013 -0300

    Refresh of manual-document-mt-safety-stdio.patch

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 79a3340..5667af3 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -1280,7 +1280,12 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
-@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Besides the usual possibility of getting an inconsistent stream in a
+@c signal handler or leaving it inconsistent in case of cancellation,
+@c the possibility of leaving a dangling pointer upon cancellation
+@c between reallocing the buffer at *lineptr and updating the pointer
+@c brings about another case of incansist.
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1316,7 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
-@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c See the getline incansist note.
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7574e9059a8db40c3176785ed56703a0bdb7d7a5

commit 7574e9059a8db40c3176785ed56703a0bdb7d7a5
Merge: e064e83 8fede8f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 27 23:55:54 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e064e8321054dc11c0135db7c3318aff03e63d8c

commit e064e8321054dc11c0135db7c3318aff03e63d8c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 27 23:55:54 2013 -0300

    goto

diff --git a/meta b/meta
index 2abfb28..adebb39 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 35bf220e9b40707741474d9892370654b9f67f69
-Head: 7e105f03df345c9d37e09985a410f6d6177d8ed3
+Previous: 8fede8f0d0f41c2ad3c321923844ed00a317258f
+Head: 8d679074193b580e3ea1b810b03b6c976a47f9cd
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -20,6 +20,7 @@ Applied:
   manual-document-mt-safety-lang.patch: df244861d2cc8225a441c53b523f53150727ae62
   manual-document-mt-safety-llio.patch: bf5c49825fd31327a529399b2400a6e592bbee3a
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
+Unapplied:
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-resource.patch: fc558f0f09d7886fab6a27dd914edd28b2e785c0
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
@@ -29,5 +30,4 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: b788aa476a3f1241be343db5eed095d40d4e7f99
   wip-manual-document-mt-safety-time.patch: d1221244d675ec6bcc205f518c664c13def4a4a6
   wip-manual-document-mt-safety-locale.patch: 7e105f03df345c9d37e09985a410f6d6177d8ed3
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8fede8f0d0f41c2ad3c321923844ed00a317258f

commit 8fede8f0d0f41c2ad3c321923844ed00a317258f
Merge: 2b8e11a 7e105f0 35bf220
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 27 23:55:08 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2b8e11abe9014f1ae3c14fb25f1ae94f185f7832

commit 2b8e11abe9014f1ae3c14fb25f1ae94f185f7832
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 27 23:55:08 2013 -0300

    refresh

diff --git a/meta b/meta
index 22bb730..2abfb28 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 5d6f27b1324fb81c98e6c1d2da2459e7cd9ae292
-Head: 585e327c9509c97ad3feac8b41880d8508f32d5c
+Previous: 35bf220e9b40707741474d9892370654b9f67f69
+Head: 7e105f03df345c9d37e09985a410f6d6177d8ed3
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -28,7 +28,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: af4517fcf40418c102664f0ad468424d974e1579
   wip-manual-document-mt-safety-threads.patch: b788aa476a3f1241be343db5eed095d40d4e7f99
   wip-manual-document-mt-safety-time.patch: d1221244d675ec6bcc205f518c664c13def4a4a6
-  wip-manual-document-mt-safety-locale.patch: 28aa5e47701436456d44e42a505033190371b497
-  refresh-temp: 585e327c9509c97ad3feac8b41880d8508f32d5c
+  wip-manual-document-mt-safety-locale.patch: 7e105f03df345c9d37e09985a410f6d6177d8ed3
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 9b82f19..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,113 +0,0 @@
-Bottom: 31a338b2678571adc223b08713e368bb1acb39d9
-Top:    f84cb3a8a6935357a83211dd7476aa8cceee29ed
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-27 23:55:06 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index c61360b..36cda7f 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -242,9 +242,27 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c  setname ok
- @c  _nl_find_locale
- @c   getenv LC_ALL and LANG envromt
--@c   _nl_load_locale_from_archive
-+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
- @c    sysconf _SC_PAGE_SIZE ok
--@c    
-+@c    _nl_normalize_codeset asmalloc, memleak
-+@c     isalnum_l ok (C locale)
-+@c     isdigit_l ok (C locale)
-+@c     malloc asmalloc, memleak
-+@c     tolower_l ok (C locale)
-+@c    open_not_cancel_2 fdleak
-+@c    fxstat64 ok
-+@c    close_not_cancel_no_status ok
-+@c    __mmap64 memleak
-+@c    calculate_head_size ok
-+@c    __munmap ok
-+@c    compute_hashval ok
-+@c    qsort dup asmalloc, memleak
-+@c     rangecmp ok
-+@c    malloc asmalloc, memleak
-+@c    strdup asmalloc, memleak
-+@c    _nl_intern_locale_data asmalloc, memleak
-+@c     malloc asmalloc, memleak
-+@c     free asmalloc, memleak
- @c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
- @c    libc_lock_lock selfdeadlock, lockleak
- @c    bsearch ok
-@@ -263,10 +281,66 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c     qsort asmalloc, memleak
- @c      alias_compare dup
- @c    libc_lock_unlock lockleak
--@c   _nl_explode_name
--@c   _nl_make_l10nflist
--@c   _nl_load_locale
-+@c   _nl_explode_name asmalloc, memleak
-+@c    _nl_find_language ok
-+@c    _nl_normalize_codeset dup asmalloc, memleak
-+@c   _nl_make_l10nflist asmalloc, memleak
-+@c    malloc asmalloc, memleak
-+@c    free asmalloc, memleak
-+@c    __argz_stringify ok
-+@c    __argz_count ok
-+@c    __argz_next ok
-+@c   _nl_load_locale asmalloc, memleak, fdleak
-+@c    open_not_cancel_2 fdleak
-+@c    __fxstat64 ok
-+@c    close_not_cancel_no_status ok
-+@c    mmap memleak
-+@c    malloc asmalloc, memleak
-+@c    read_not_cancel ok
-+@c    free asmalloc, memleak
-+@c    _nl_intern_locale_data dup asmalloc, memleak
-+@c    munmap ok
- @c   __gconv_compare_alias
-+@c    __gconv_read_conf oncesafe
-+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
-+@c      never modified afterwards)
-+@c     __gconv_load_cache asmalloc, memleak, fdleak
-+@c      getenv GCONV_PATH envromt
-+@c      open_not_cancel fdleak
-+@c      __fxstat64 ok
-+@c      close_not_cancel_no_status ok
-+@c      mmap memleak
-+@c      malloc asmalloc, memleak
-+@c      __read ok
-+@c      free asmalloc, memleak
-+@c      munmap ok
-+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
-+@c      getcwd asmalloc, memleak, fdleak
-+@c      libc_lock_lock selfdeadlock, lockleak
-+@c      malloc asmalloc, memleak
-+@c      strtok_r ok
-+@c      libc_lock_unlock lockleak
-+@c     read_conf_file
-+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
-+@c      fsetlocking ok
-+@c      feof_unlocked ok
-+@c      getdelim asmalloc, asynconsist, memleak, incansist
-+@c      isspace_l ok (C locale)
-+@c      add_alias
-+@c       +
-+@c      add_module
-+@c       +
-+@c     __tfind ok (because the tree is read only by then)
-+@c      __gconv_alias_compare dup ok
-+@c     insert_module
-+@c      +
-+@c     add_alias2
-+@c      +
-+@c    __gconv_compare_alias_cache ok
-+@c     find_module_idx ok
-+@c    do_lookup_alias ok
-+@c     __tfind ok (because the tree is read only by then)
-+@c      __gconv_alias_compare ok
- @c   strndup asmalloc, memleak
- @c   strcasecmp_l ok (C locale)
- The function @code{setlocale} sets the current locale for category
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 4e8e107..4978c4d 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: ea3ba54c73d659d8dfd72d24ca9bff1fd9d533a6
-Top:    31a338b2678571adc223b08713e368bb1acb39d9
+Top:    f84cb3a8a6935357a83211dd7476aa8cceee29ed
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
@@ -13,10 +13,10 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..c61360b 100644
+index 2f10fcd..36cda7f 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
-@@ -224,6 +224,51 @@ The symbols in this section are defined in the header file @file{locale.h}.
+@@ -224,6 +224,125 @@ The symbols in this section are defined in the header file @file{locale.h}.
  @comment locale.h
  @comment ISO
  @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
@@ -38,9 +38,27 @@ index 2f10fcd..c61360b 100644
 +@c  setname ok
 +@c  _nl_find_locale
 +@c   getenv LC_ALL and LANG envromt
-+@c   _nl_load_locale_from_archive
++@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
 +@c    sysconf _SC_PAGE_SIZE ok
-+@c    
++@c    _nl_normalize_codeset asmalloc, memleak
++@c     isalnum_l ok (C locale)
++@c     isdigit_l ok (C locale)
++@c     malloc asmalloc, memleak
++@c     tolower_l ok (C locale)
++@c    open_not_cancel_2 fdleak
++@c    fxstat64 ok
++@c    close_not_cancel_no_status ok
++@c    __mmap64 memleak
++@c    calculate_head_size ok
++@c    __munmap ok
++@c    compute_hashval ok
++@c    qsort dup asmalloc, memleak
++@c     rangecmp ok
++@c    malloc asmalloc, memleak
++@c    strdup asmalloc, memleak
++@c    _nl_intern_locale_data asmalloc, memleak
++@c     malloc asmalloc, memleak
++@c     free asmalloc, memleak
 +@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
 +@c    libc_lock_lock selfdeadlock, lockleak
 +@c    bsearch ok
@@ -59,10 +77,66 @@ index 2f10fcd..c61360b 100644
 +@c     qsort asmalloc, memleak
 +@c      alias_compare dup
 +@c    libc_lock_unlock lockleak
-+@c   _nl_explode_name
-+@c   _nl_make_l10nflist
-+@c   _nl_load_locale
++@c   _nl_explode_name asmalloc, memleak
++@c    _nl_find_language ok
++@c    _nl_normalize_codeset dup asmalloc, memleak
++@c   _nl_make_l10nflist asmalloc, memleak
++@c    malloc asmalloc, memleak
++@c    free asmalloc, memleak
++@c    __argz_stringify ok
++@c    __argz_count ok
++@c    __argz_next ok
++@c   _nl_load_locale asmalloc, memleak, fdleak
++@c    open_not_cancel_2 fdleak
++@c    __fxstat64 ok
++@c    close_not_cancel_no_status ok
++@c    mmap memleak
++@c    malloc asmalloc, memleak
++@c    read_not_cancel ok
++@c    free asmalloc, memleak
++@c    _nl_intern_locale_data dup asmalloc, memleak
++@c    munmap ok
 +@c   __gconv_compare_alias
++@c    __gconv_read_conf oncesafe
++@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
++@c      never modified afterwards)
++@c     __gconv_load_cache asmalloc, memleak, fdleak
++@c      getenv GCONV_PATH envromt
++@c      open_not_cancel fdleak
++@c      __fxstat64 ok
++@c      close_not_cancel_no_status ok
++@c      mmap memleak
++@c      malloc asmalloc, memleak
++@c      __read ok
++@c      free asmalloc, memleak
++@c      munmap ok
++@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
++@c      getcwd asmalloc, memleak, fdleak
++@c      libc_lock_lock selfdeadlock, lockleak
++@c      malloc asmalloc, memleak
++@c      strtok_r ok
++@c      libc_lock_unlock lockleak
++@c     read_conf_file
++@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
++@c      fsetlocking ok
++@c      feof_unlocked ok
++@c      getdelim asmalloc, asynconsist, memleak, incansist
++@c      isspace_l ok (C locale)
++@c      add_alias
++@c       +
++@c      add_module
++@c       +
++@c     __tfind ok (because the tree is read only by then)
++@c      __gconv_alias_compare dup ok
++@c     insert_module
++@c      +
++@c     add_alias2
++@c      +
++@c    __gconv_compare_alias_cache ok
++@c     find_module_idx ok
++@c    do_lookup_alias ok
++@c     __tfind ok (because the tree is read only by then)
++@c      __gconv_alias_compare ok
 +@c   strndup asmalloc, memleak
 +@c   strcasecmp_l ok (C locale)
  The function @code{setlocale} sets the current locale for category

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=35bf220e9b40707741474d9892370654b9f67f69

commit 35bf220e9b40707741474d9892370654b9f67f69
Merge: ca0fa63 5d6f27b 585e327
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 27 23:55:08 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ca0fa63d280951ab986dbc124dbbdd2f3844fa44

commit ca0fa63d280951ab986dbc124dbbdd2f3844fa44
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 27 23:55:08 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index ef8f3fb..22bb730 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 5428a9ce16a23494132ddcc2d21477938ef3b5ee
-Head: 28aa5e47701436456d44e42a505033190371b497
+Previous: 5d6f27b1324fb81c98e6c1d2da2459e7cd9ae292
+Head: 585e327c9509c97ad3feac8b41880d8508f32d5c
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: b788aa476a3f1241be343db5eed095d40d4e7f99
   wip-manual-document-mt-safety-time.patch: d1221244d675ec6bcc205f518c664c13def4a4a6
   wip-manual-document-mt-safety-locale.patch: 28aa5e47701436456d44e42a505033190371b497
+  refresh-temp: 585e327c9509c97ad3feac8b41880d8508f32d5c
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..9b82f19
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,113 @@
+Bottom: 31a338b2678571adc223b08713e368bb1acb39d9
+Top:    f84cb3a8a6935357a83211dd7476aa8cceee29ed
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-27 23:55:06 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index c61360b..36cda7f 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -242,9 +242,27 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c  setname ok
+ @c  _nl_find_locale
+ @c   getenv LC_ALL and LANG envromt
+-@c   _nl_load_locale_from_archive
++@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+ @c    sysconf _SC_PAGE_SIZE ok
+-@c    
++@c    _nl_normalize_codeset asmalloc, memleak
++@c     isalnum_l ok (C locale)
++@c     isdigit_l ok (C locale)
++@c     malloc asmalloc, memleak
++@c     tolower_l ok (C locale)
++@c    open_not_cancel_2 fdleak
++@c    fxstat64 ok
++@c    close_not_cancel_no_status ok
++@c    __mmap64 memleak
++@c    calculate_head_size ok
++@c    __munmap ok
++@c    compute_hashval ok
++@c    qsort dup asmalloc, memleak
++@c     rangecmp ok
++@c    malloc asmalloc, memleak
++@c    strdup asmalloc, memleak
++@c    _nl_intern_locale_data asmalloc, memleak
++@c     malloc asmalloc, memleak
++@c     free asmalloc, memleak
+ @c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+ @c    libc_lock_lock selfdeadlock, lockleak
+ @c    bsearch ok
+@@ -263,10 +281,66 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c     qsort asmalloc, memleak
+ @c      alias_compare dup
+ @c    libc_lock_unlock lockleak
+-@c   _nl_explode_name
+-@c   _nl_make_l10nflist
+-@c   _nl_load_locale
++@c   _nl_explode_name asmalloc, memleak
++@c    _nl_find_language ok
++@c    _nl_normalize_codeset dup asmalloc, memleak
++@c   _nl_make_l10nflist asmalloc, memleak
++@c    malloc asmalloc, memleak
++@c    free asmalloc, memleak
++@c    __argz_stringify ok
++@c    __argz_count ok
++@c    __argz_next ok
++@c   _nl_load_locale asmalloc, memleak, fdleak
++@c    open_not_cancel_2 fdleak
++@c    __fxstat64 ok
++@c    close_not_cancel_no_status ok
++@c    mmap memleak
++@c    malloc asmalloc, memleak
++@c    read_not_cancel ok
++@c    free asmalloc, memleak
++@c    _nl_intern_locale_data dup asmalloc, memleak
++@c    munmap ok
+ @c   __gconv_compare_alias
++@c    __gconv_read_conf oncesafe
++@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
++@c      never modified afterwards)
++@c     __gconv_load_cache asmalloc, memleak, fdleak
++@c      getenv GCONV_PATH envromt
++@c      open_not_cancel fdleak
++@c      __fxstat64 ok
++@c      close_not_cancel_no_status ok
++@c      mmap memleak
++@c      malloc asmalloc, memleak
++@c      __read ok
++@c      free asmalloc, memleak
++@c      munmap ok
++@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
++@c      getcwd asmalloc, memleak, fdleak
++@c      libc_lock_lock selfdeadlock, lockleak
++@c      malloc asmalloc, memleak
++@c      strtok_r ok
++@c      libc_lock_unlock lockleak
++@c     read_conf_file
++@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
++@c      fsetlocking ok
++@c      feof_unlocked ok
++@c      getdelim asmalloc, asynconsist, memleak, incansist
++@c      isspace_l ok (C locale)
++@c      add_alias
++@c       +
++@c      add_module
++@c       +
++@c     __tfind ok (because the tree is read only by then)
++@c      __gconv_alias_compare dup ok
++@c     insert_module
++@c      +
++@c     add_alias2
++@c      +
++@c    __gconv_compare_alias_cache ok
++@c     find_module_idx ok
++@c    do_lookup_alias ok
++@c     __tfind ok (because the tree is read only by then)
++@c      __gconv_alias_compare ok
+ @c   strndup asmalloc, memleak
+ @c   strcasecmp_l ok (C locale)
+ The function @code{setlocale} sets the current locale for category

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=585e327c9509c97ad3feac8b41880d8508f32d5c

commit 585e327c9509c97ad3feac8b41880d8508f32d5c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 27 23:55:06 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index c61360b..36cda7f 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -242,9 +242,27 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c  setname ok
 @c  _nl_find_locale
 @c   getenv LC_ALL and LANG envromt
-@c   _nl_load_locale_from_archive
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
 @c    sysconf _SC_PAGE_SIZE ok
-@c    
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
 @c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
 @c    libc_lock_lock selfdeadlock, lockleak
 @c    bsearch ok
@@ -263,10 +281,66 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c     qsort asmalloc, memleak
 @c      alias_compare dup
 @c    libc_lock_unlock lockleak
-@c   _nl_explode_name
-@c   _nl_make_l10nflist
-@c   _nl_load_locale
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
 @c   __gconv_compare_alias
+@c    __gconv_read_conf oncesafe
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       +
+@c      add_module
+@c       +
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module
+@c      +
+@c     add_alias2
+@c      +
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
 @c   strndup asmalloc, memleak
 @c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7e105f03df345c9d37e09985a410f6d6177d8ed3

commit 7e105f03df345c9d37e09985a410f6d6177d8ed3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..36cda7f 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,125 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive asmalloc, memleak, fdleak
+@c    sysconf _SC_PAGE_SIZE ok
+@c    _nl_normalize_codeset asmalloc, memleak
+@c     isalnum_l ok (C locale)
+@c     isdigit_l ok (C locale)
+@c     malloc asmalloc, memleak
+@c     tolower_l ok (C locale)
+@c    open_not_cancel_2 fdleak
+@c    fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    __mmap64 memleak
+@c    calculate_head_size ok
+@c    __munmap ok
+@c    compute_hashval ok
+@c    qsort dup asmalloc, memleak
+@c     rangecmp ok
+@c    malloc asmalloc, memleak
+@c    strdup asmalloc, memleak
+@c    _nl_intern_locale_data asmalloc, memleak
+@c     malloc asmalloc, memleak
+@c     free asmalloc, memleak
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name asmalloc, memleak
+@c    _nl_find_language ok
+@c    _nl_normalize_codeset dup asmalloc, memleak
+@c   _nl_make_l10nflist asmalloc, memleak
+@c    malloc asmalloc, memleak
+@c    free asmalloc, memleak
+@c    __argz_stringify ok
+@c    __argz_count ok
+@c    __argz_next ok
+@c   _nl_load_locale asmalloc, memleak, fdleak
+@c    open_not_cancel_2 fdleak
+@c    __fxstat64 ok
+@c    close_not_cancel_no_status ok
+@c    mmap memleak
+@c    malloc asmalloc, memleak
+@c    read_not_cancel ok
+@c    free asmalloc, memleak
+@c    _nl_intern_locale_data dup asmalloc, memleak
+@c    munmap ok
+@c   __gconv_compare_alias
+@c    __gconv_read_conf oncesafe
+@c     (libc_once-initializes gconv_cache and gconv_path_envvar; they're
+@c      never modified afterwards)
+@c     __gconv_load_cache asmalloc, memleak, fdleak
+@c      getenv GCONV_PATH envromt
+@c      open_not_cancel fdleak
+@c      __fxstat64 ok
+@c      close_not_cancel_no_status ok
+@c      mmap memleak
+@c      malloc asmalloc, memleak
+@c      __read ok
+@c      free asmalloc, memleak
+@c      munmap ok
+@c     __gconv_get_path selfdeadlock, asmalloc, lockleak, memleak, fdleak
+@c      getcwd asmalloc, memleak, fdleak
+@c      libc_lock_lock selfdeadlock, lockleak
+@c      malloc asmalloc, memleak
+@c      strtok_r ok
+@c      libc_lock_unlock lockleak
+@c     read_conf_file
+@c      fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c      fsetlocking ok
+@c      feof_unlocked ok
+@c      getdelim asmalloc, asynconsist, memleak, incansist
+@c      isspace_l ok (C locale)
+@c      add_alias
+@c       +
+@c      add_module
+@c       +
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare dup ok
+@c     insert_module
+@c      +
+@c     add_alias2
+@c      +
+@c    __gconv_compare_alias_cache ok
+@c     find_module_idx ok
+@c    do_lookup_alias ok
+@c     __tfind ok (because the tree is read only by then)
+@c      __gconv_alias_compare ok
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5d6f27b1324fb81c98e6c1d2da2459e7cd9ae292

commit 5d6f27b1324fb81c98e6c1d2da2459e7cd9ae292
Merge: 55beeb7 5428a9c 28aa5e4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:43:21 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=55beeb75bd4785f689e168e77f30ffa5c7ce8eb8

commit 55beeb75bd4785f689e168e77f30ffa5c7ce8eb8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:43:21 2013 -0300

    push

diff --git a/meta b/meta
index 97c3d43..ef8f3fb 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 2aa2c5a67e8c3e47045671b98533fe297ae7c392
-Head: eb3c85b71c56902290473a92e6c8f3ffa4852964
+Previous: 5428a9ce16a23494132ddcc2d21477938ef3b5ee
+Head: 28aa5e47701436456d44e42a505033190371b497
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,9 +25,9 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
   wip-manual-document-mt-safety-string.patch: eb3c85b71c56902290473a92e6c8f3ffa4852964
+  wip-manual-document-mt-safety-terminal.patch: af4517fcf40418c102664f0ad468424d974e1579
+  wip-manual-document-mt-safety-threads.patch: b788aa476a3f1241be343db5eed095d40d4e7f99
+  wip-manual-document-mt-safety-time.patch: d1221244d675ec6bcc205f518c664c13def4a4a6
+  wip-manual-document-mt-safety-locale.patch: 28aa5e47701436456d44e42a505033190371b497
 Unapplied:
-  wip-manual-document-mt-safety-terminal.patch: 151d9f30f9e5375996f750ce9ed1ca78c2557d04
-  wip-manual-document-mt-safety-threads.patch: dc11afc981135c6f118733ebf066a0bdc9d3cc9b
-  wip-manual-document-mt-safety-time.patch: a291cda1774c1e793b243fb5ddb2ce149146e05c
-  wip-manual-document-mt-safety-locale.patch: c9a3acd6f2fa5ad839ae93229d3ae2c2ab7a04e6
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index b99d2f8..4e8e107 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 511381f5668e2c5f5c71e78b94857fa5949c5e6a
-Top:    b3d747791c6e00f127bed74d0194e39b84d6c9fd
+Bottom: ea3ba54c73d659d8dfd72d24ca9bff1fd9d533a6
+Top:    31a338b2678571adc223b08713e368bb1acb39d9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 754a24f..c988723 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: af9838055fbc34eb8b44aa085a768b6672e2709a
-Top:    d8e3ec6f9c84125123581d0857fc1a7740d2ab5e
+Bottom: c7851f3716d07cb79899c2afd9060ba0012286ea
+Top:    a82741c4de572d76f0acefac779c7b54549081ad
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 4c7b0f3..24a89ae 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: d8e3ec6f9c84125123581d0857fc1a7740d2ab5e
-Top:    641c5335da113539c91a8a562d69e4238302df7e
+Bottom: a82741c4de572d76f0acefac779c7b54549081ad
+Top:    121d21001f9a090049c70d632774252aca77b79d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 5c0bd03..e021f3a 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 641c5335da113539c91a8a562d69e4238302df7e
-Top:    511381f5668e2c5f5c71e78b94857fa5949c5e6a
+Bottom: 121d21001f9a090049c70d632774252aca77b79d
+Top:    ea3ba54c73d659d8dfd72d24ca9bff1fd9d533a6
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=28aa5e47701436456d44e42a505033190371b497

commit 28aa5e47701436456d44e42a505033190371b497
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..c61360b 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,51 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive
+@c    sysconf _SC_PAGE_SIZE ok
+@c    
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name
+@c   _nl_make_l10nflist
+@c   _nl_load_locale
+@c   __gconv_compare_alias
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d1221244d675ec6bcc205f518c664c13def4a4a6

commit d1221244d675ec6bcc205f518c664c13def4a4a6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b788aa476a3f1241be343db5eed095d40d4e7f99

commit b788aa476a3f1241be343db5eed095d40d4e7f99
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=af4517fcf40418c102664f0ad468424d974e1579

commit af4517fcf40418c102664f0ad468424d974e1579
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5428a9ce16a23494132ddcc2d21477938ef3b5ee

commit 5428a9ce16a23494132ddcc2d21477938ef3b5ee
Merge: d8515c7 2aa2c5a eb3c85b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:43:17 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d8515c70915a4db348199ad3990f3a2fa25314b3

commit d8515c70915a4db348199ad3990f3a2fa25314b3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:43:17 2013 -0300

    refresh

diff --git a/meta b/meta
index a38d7cc..97c3d43 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: be4dfd95253efe35c9798bb597ecfecc577dbc29
-Head: ebcf6384c324c693605081cb3e82e0e90d67bc0d
+Previous: 2aa2c5a67e8c3e47045671b98533fe297ae7c392
+Head: eb3c85b71c56902290473a92e6c8f3ffa4852964
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -24,8 +24,7 @@ Applied:
   wip-manual-document-mt-safety-resource.patch: fc558f0f09d7886fab6a27dd914edd28b2e785c0
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
-  wip-manual-document-mt-safety-string.patch: f837e602ebfa9526f10cd34ce6279699cd6bdf6d
-  refresh-temp: ebcf6384c324c693605081cb3e82e0e90d67bc0d
+  wip-manual-document-mt-safety-string.patch: eb3c85b71c56902290473a92e6c8f3ffa4852964
 Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 151d9f30f9e5375996f750ce9ed1ca78c2557d04
   wip-manual-document-mt-safety-threads.patch: dc11afc981135c6f118733ebf066a0bdc9d3cc9b
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 11af8e7..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,29 +0,0 @@
-Bottom: af9838055fbc34eb8b44aa085a768b6672e2709a
-Top:    c7851f3716d07cb79899c2afd9060ba0012286ea
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-22 07:43:17 -0300
-
-Refresh of wip-manual-document-mt-safety-string.patch
-
----
-
-diff --git a/manual/string.texi b/manual/string.texi
-index b2e97bc..1408033 100644
---- a/manual/string.texi
-+++ b/manual/string.texi
-@@ -1646,6 +1646,7 @@ This function is a GNU extension.
- @comment string.h
- @comment ISO
- @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{strchr} function finds the first occurrence of the character
- @var{c} (converted to a @code{char}) in the null-terminated string
- beginning at @var{string}.  The return value is a pointer to the located
-@@ -1687,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
- @comment string.h
- @comment GNU
- @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- @code{strchrnul} is the same as @code{strchr} except that if it does
- not find the character, it returns a pointer to string's terminating
- null character rather than a null pointer.
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index da014c8..de41b62 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
 Bottom: 84ba7139fbdcfc5f51668f8a5c3e0d2ef1124263
-Top:    af9838055fbc34eb8b44aa085a768b6672e2709a
+Top:    c7851f3716d07cb79899c2afd9060ba0012286ea
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/string.texi b/manual/string.texi
-index 246be84..b2e97bc 100644
+index 246be84..1408033 100644
 --- a/manual/string.texi
 +++ b/manual/string.texi
 @@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
@@ -46,7 +46,23 @@ index 246be84..b2e97bc 100644
  The @code{strcoll} function is similar to @code{strcmp} but uses the
  collating sequence of the current locale for collation (the
  @code{LC_COLLATE} locale).
-@@ -2675,3 +2684,6 @@ being added to @var{envz}, if @var{override} is false.
+@@ -1637,6 +1646,7 @@ This function is a GNU extension.
+ @comment string.h
+ @comment ISO
+ @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{strchr} function finds the first occurrence of the character
+ @var{c} (converted to a @code{char}) in the null-terminated string
+ beginning at @var{string}.  The return value is a pointer to the located
+@@ -1678,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
+ @comment string.h
+ @comment GNU
+ @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @code{strchrnul} is the same as @code{strchr} except that if it does
+ not find the character, it returns a pointer to string's terminating
+ null character rather than a null pointer.
+@@ -2675,3 +2686,6 @@ being added to @var{envz}, if @var{override} is false.
  The @code{envz_strip} function removes any null entries from @var{envz},
  updating @code{*@var{envz}} and @code{*@var{envz_len}}.
  @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2aa2c5a67e8c3e47045671b98533fe297ae7c392

commit 2aa2c5a67e8c3e47045671b98533fe297ae7c392
Merge: a463f86 be4dfd9 ebcf638
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:43:17 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a463f868ddee03aa3a1ca4c836cd65688e8e97d8

commit a463f868ddee03aa3a1ca4c836cd65688e8e97d8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:43:17 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 4ac2bf9..a38d7cc 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: a67c68634f93c5105d53ff73050a9567efa32855
-Head: f837e602ebfa9526f10cd34ce6279699cd6bdf6d
+Previous: be4dfd95253efe35c9798bb597ecfecc577dbc29
+Head: ebcf6384c324c693605081cb3e82e0e90d67bc0d
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,6 +25,7 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
   wip-manual-document-mt-safety-string.patch: f837e602ebfa9526f10cd34ce6279699cd6bdf6d
+  refresh-temp: ebcf6384c324c693605081cb3e82e0e90d67bc0d
 Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 151d9f30f9e5375996f750ce9ed1ca78c2557d04
   wip-manual-document-mt-safety-threads.patch: dc11afc981135c6f118733ebf066a0bdc9d3cc9b
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..11af8e7
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,29 @@
+Bottom: af9838055fbc34eb8b44aa085a768b6672e2709a
+Top:    c7851f3716d07cb79899c2afd9060ba0012286ea
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-22 07:43:17 -0300
+
+Refresh of wip-manual-document-mt-safety-string.patch
+
+---
+
+diff --git a/manual/string.texi b/manual/string.texi
+index b2e97bc..1408033 100644
+--- a/manual/string.texi
++++ b/manual/string.texi
+@@ -1646,6 +1646,7 @@ This function is a GNU extension.
+ @comment string.h
+ @comment ISO
+ @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{strchr} function finds the first occurrence of the character
+ @var{c} (converted to a @code{char}) in the null-terminated string
+ beginning at @var{string}.  The return value is a pointer to the located
+@@ -1687,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
+ @comment string.h
+ @comment GNU
+ @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @code{strchrnul} is the same as @code{strchr} except that if it does
+ not find the character, it returns a pointer to string's terminating
+ null character rather than a null pointer.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ebcf6384c324c693605081cb3e82e0e90d67bc0d

commit ebcf6384c324c693605081cb3e82e0e90d67bc0d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:43:17 2013 -0300

    Refresh of wip-manual-document-mt-safety-string.patch

diff --git a/manual/string.texi b/manual/string.texi
index b2e97bc..1408033 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1646,6 +1646,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1687,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=be4dfd95253efe35c9798bb597ecfecc577dbc29

commit be4dfd95253efe35c9798bb597ecfecc577dbc29
Merge: b60a366 a67c686
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:42:38 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b60a3667a5c997acc76d052a13310076df12f94c

commit b60a3667a5c997acc76d052a13310076df12f94c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:42:38 2013 -0300

    goto

diff --git a/meta b/meta
index 97dfa44..4ac2bf9 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: e59651198625879010e0d6e986d39d7bdbd82bcd
-Head: c9a3acd6f2fa5ad839ae93229d3ae2c2ab7a04e6
+Previous: a67c68634f93c5105d53ff73050a9567efa32855
+Head: f837e602ebfa9526f10cd34ce6279699cd6bdf6d
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,9 +25,9 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
   wip-manual-document-mt-safety-string.patch: f837e602ebfa9526f10cd34ce6279699cd6bdf6d
+Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 151d9f30f9e5375996f750ce9ed1ca78c2557d04
   wip-manual-document-mt-safety-threads.patch: dc11afc981135c6f118733ebf066a0bdc9d3cc9b
   wip-manual-document-mt-safety-time.patch: a291cda1774c1e793b243fb5ddb2ce149146e05c
   wip-manual-document-mt-safety-locale.patch: c9a3acd6f2fa5ad839ae93229d3ae2c2ab7a04e6
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a67c68634f93c5105d53ff73050a9567efa32855

commit a67c68634f93c5105d53ff73050a9567efa32855
Merge: a5b517e c9a3acd e596511
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:42:35 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a5b517e37839e5a6478fa534c894db73b4c80e14

commit a5b517e37839e5a6478fa534c894db73b4c80e14
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:42:35 2013 -0300

    refresh

diff --git a/meta b/meta
index 88d40a2..97dfa44 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 2cd30eb6c230077a3e622ed79af2025dec59521e
-Head: 361c2f138f00349780d52cee4bc6b07fa145d837
+Previous: e59651198625879010e0d6e986d39d7bdbd82bcd
+Head: c9a3acd6f2fa5ad839ae93229d3ae2c2ab7a04e6
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -28,7 +28,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 151d9f30f9e5375996f750ce9ed1ca78c2557d04
   wip-manual-document-mt-safety-threads.patch: dc11afc981135c6f118733ebf066a0bdc9d3cc9b
   wip-manual-document-mt-safety-time.patch: a291cda1774c1e793b243fb5ddb2ce149146e05c
-  wip-manual-document-mt-safety-locale.patch: 5e94ebf07ad1a532d9e6ece0ddd7245359f11aa5
-  refresh-temp: 361c2f138f00349780d52cee4bc6b07fa145d837
+  wip-manual-document-mt-safety-locale.patch: c9a3acd6f2fa5ad839ae93229d3ae2c2ab7a04e6
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 0364d3b..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,22 +0,0 @@
-Bottom: 52646e829b2c835e9171de316383f334d9b3e858
-Top:    b3d747791c6e00f127bed74d0194e39b84d6c9fd
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-22 07:42:34 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index fb6de4e..c61360b 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -243,6 +243,8 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c  _nl_find_locale
- @c   getenv LC_ALL and LANG envromt
- @c   _nl_load_locale_from_archive
-+@c    sysconf _SC_PAGE_SIZE ok
-+@c    
- @c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
- @c    libc_lock_lock selfdeadlock, lockleak
- @c    bsearch ok
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 42fce49..b99d2f8 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: 511381f5668e2c5f5c71e78b94857fa5949c5e6a
-Top:    52646e829b2c835e9171de316383f334d9b3e858
+Top:    b3d747791c6e00f127bed74d0194e39b84d6c9fd
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
@@ -13,10 +13,10 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..fb6de4e 100644
+index 2f10fcd..c61360b 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
-@@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
+@@ -224,6 +224,51 @@ The symbols in this section are defined in the header file @file{locale.h}.
  @comment locale.h
  @comment ISO
  @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
@@ -39,6 +39,8 @@ index 2f10fcd..fb6de4e 100644
 +@c  _nl_find_locale
 +@c   getenv LC_ALL and LANG envromt
 +@c   _nl_load_locale_from_archive
++@c    sysconf _SC_PAGE_SIZE ok
++@c    
 +@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
 +@c    libc_lock_lock selfdeadlock, lockleak
 +@c    bsearch ok

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e59651198625879010e0d6e986d39d7bdbd82bcd

commit e59651198625879010e0d6e986d39d7bdbd82bcd
Merge: 5d5ff05 2cd30eb 361c2f1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:42:35 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5d5ff05a908aa72fb6f30eb1c51797774905e275

commit 5d5ff05a908aa72fb6f30eb1c51797774905e275
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:42:35 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 2bd4d28..88d40a2 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 3d8fa4879f06401d0916c29b6f776a437dba442d
-Head: 5e94ebf07ad1a532d9e6ece0ddd7245359f11aa5
+Previous: 2cd30eb6c230077a3e622ed79af2025dec59521e
+Head: 361c2f138f00349780d52cee4bc6b07fa145d837
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: dc11afc981135c6f118733ebf066a0bdc9d3cc9b
   wip-manual-document-mt-safety-time.patch: a291cda1774c1e793b243fb5ddb2ce149146e05c
   wip-manual-document-mt-safety-locale.patch: 5e94ebf07ad1a532d9e6ece0ddd7245359f11aa5
+  refresh-temp: 361c2f138f00349780d52cee4bc6b07fa145d837
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..0364d3b
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,22 @@
+Bottom: 52646e829b2c835e9171de316383f334d9b3e858
+Top:    b3d747791c6e00f127bed74d0194e39b84d6c9fd
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-22 07:42:34 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index fb6de4e..c61360b 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -243,6 +243,8 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c  _nl_find_locale
+ @c   getenv LC_ALL and LANG envromt
+ @c   _nl_load_locale_from_archive
++@c    sysconf _SC_PAGE_SIZE ok
++@c    
+ @c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+ @c    libc_lock_lock selfdeadlock, lockleak
+ @c    bsearch ok

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=361c2f138f00349780d52cee4bc6b07fa145d837

commit 361c2f138f00349780d52cee4bc6b07fa145d837
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:42:34 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index fb6de4e..c61360b 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -243,6 +243,8 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c  _nl_find_locale
 @c   getenv LC_ALL and LANG envromt
 @c   _nl_load_locale_from_archive
+@c    sysconf _SC_PAGE_SIZE ok
+@c    
 @c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
 @c    libc_lock_lock selfdeadlock, lockleak
 @c    bsearch ok

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2cd30eb6c230077a3e622ed79af2025dec59521e

commit 2cd30eb6c230077a3e622ed79af2025dec59521e
Merge: f1c281a 3d8fa48 5e94ebf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:25:31 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f1c281a1d354d4785e5bdfdb76dfecb2d79bad56

commit f1c281a1d354d4785e5bdfdb76dfecb2d79bad56
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:25:31 2013 -0300

    push

diff --git a/meta b/meta
index 9fe7e61..2bd4d28 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 94e29d80265b52207e565e321e9db968c8f4d4c5
-Head: f837e602ebfa9526f10cd34ce6279699cd6bdf6d
+Previous: 3d8fa4879f06401d0916c29b6f776a437dba442d
+Head: 5e94ebf07ad1a532d9e6ece0ddd7245359f11aa5
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,9 +25,9 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
   wip-manual-document-mt-safety-string.patch: f837e602ebfa9526f10cd34ce6279699cd6bdf6d
+  wip-manual-document-mt-safety-terminal.patch: 151d9f30f9e5375996f750ce9ed1ca78c2557d04
+  wip-manual-document-mt-safety-threads.patch: dc11afc981135c6f118733ebf066a0bdc9d3cc9b
+  wip-manual-document-mt-safety-time.patch: a291cda1774c1e793b243fb5ddb2ce149146e05c
+  wip-manual-document-mt-safety-locale.patch: 5e94ebf07ad1a532d9e6ece0ddd7245359f11aa5
 Unapplied:
-  wip-manual-document-mt-safety-terminal.patch: 082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd
-  wip-manual-document-mt-safety-threads.patch: 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
-  wip-manual-document-mt-safety-time.patch: 35e818c9626eab6fb53649cf7635ff64427fb5d9
-  wip-manual-document-mt-safety-locale.patch: 0d6b7b87884a1f14a235b23ba098e70a0541225a
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 98bac37..42fce49 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 2fa9c7496d316b6dac213c6948024196e3a9ec7a
-Top:    057edc20976415995ffe1c7466b372eee5307111
+Bottom: 511381f5668e2c5f5c71e78b94857fa5949c5e6a
+Top:    52646e829b2c835e9171de316383f334d9b3e858
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index b6bb922..754a24f 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 96abc16a5fe1474a4250dc5d84dad1ed6af54a96
-Top:    f5fb28eacd5fb855456f96149f0a3685416ef28f
+Bottom: af9838055fbc34eb8b44aa085a768b6672e2709a
+Top:    d8e3ec6f9c84125123581d0857fc1a7740d2ab5e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 23a6f69..4c7b0f3 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: f5fb28eacd5fb855456f96149f0a3685416ef28f
-Top:    78eb6bbe9d1393a8eb05ed604e663d665fba6fe7
+Bottom: d8e3ec6f9c84125123581d0857fc1a7740d2ab5e
+Top:    641c5335da113539c91a8a562d69e4238302df7e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index f0e31f9..5c0bd03 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 78eb6bbe9d1393a8eb05ed604e663d665fba6fe7
-Top:    2fa9c7496d316b6dac213c6948024196e3a9ec7a
+Bottom: 641c5335da113539c91a8a562d69e4238302df7e
+Top:    511381f5668e2c5f5c71e78b94857fa5949c5e6a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c9a3acd6f2fa5ad839ae93229d3ae2c2ab7a04e6

commit c9a3acd6f2fa5ad839ae93229d3ae2c2ab7a04e6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..c61360b 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,51 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive
+@c    sysconf _SC_PAGE_SIZE ok
+@c    
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name
+@c   _nl_make_l10nflist
+@c   _nl_load_locale
+@c   __gconv_compare_alias
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5e94ebf07ad1a532d9e6ece0ddd7245359f11aa5

commit 5e94ebf07ad1a532d9e6ece0ddd7245359f11aa5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..fb6de4e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name
+@c   _nl_make_l10nflist
+@c   _nl_load_locale
+@c   __gconv_compare_alias
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a291cda1774c1e793b243fb5ddb2ce149146e05c

commit a291cda1774c1e793b243fb5ddb2ce149146e05c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dc11afc981135c6f118733ebf066a0bdc9d3cc9b

commit dc11afc981135c6f118733ebf066a0bdc9d3cc9b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=151d9f30f9e5375996f750ce9ed1ca78c2557d04

commit 151d9f30f9e5375996f750ce9ed1ca78c2557d04
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3d8fa4879f06401d0916c29b6f776a437dba442d

commit 3d8fa4879f06401d0916c29b6f776a437dba442d
Merge: 24a50b1 94e29d8 f837e60
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:25:29 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=24a50b1f949191efbccd45d1adf068e4303195c3

commit 24a50b1f949191efbccd45d1adf068e4303195c3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:25:29 2013 -0300

    refresh

diff --git a/meta b/meta
index 34e5c7f..9fe7e61 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 142338a8020dbd9573ab658ae9e9a337b06fb1b4
-Head: 2018a4c434021a317c4b5853c012d9ca4e1493ea
+Previous: 94e29d80265b52207e565e321e9db968c8f4d4c5
+Head: f837e602ebfa9526f10cd34ce6279699cd6bdf6d
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -24,8 +24,7 @@ Applied:
   wip-manual-document-mt-safety-resource.patch: fc558f0f09d7886fab6a27dd914edd28b2e785c0
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
-  wip-manual-document-mt-safety-string.patch: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
-  refresh-temp: 2018a4c434021a317c4b5853c012d9ca4e1493ea
+  wip-manual-document-mt-safety-string.patch: f837e602ebfa9526f10cd34ce6279699cd6bdf6d
 Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd
   wip-manual-document-mt-safety-threads.patch: 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 336d5a4..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,20 +0,0 @@
-Bottom: 96abc16a5fe1474a4250dc5d84dad1ed6af54a96
-Top:    af9838055fbc34eb8b44aa085a768b6672e2709a
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-22 07:25:28 -0300
-
-Refresh of wip-manual-document-mt-safety-string.patch
-
----
-
-diff --git a/manual/string.texi b/manual/string.texi
-index 6673a61..b2e97bc 100644
---- a/manual/string.texi
-+++ b/manual/string.texi
-@@ -2684,3 +2684,6 @@ being added to @var{envz}, if @var{override} is false.
- The @code{envz_strip} function removes any null entries from @var{envz},
- updating @code{*@var{envz}} and @code{*@var{envz_len}}.
- @end deftypefun
-+
-+@c FIXME this are undocumented:
-+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 3f62e14..da014c8 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
 Bottom: 84ba7139fbdcfc5f51668f8a5c3e0d2ef1124263
-Top:    96abc16a5fe1474a4250dc5d84dad1ed6af54a96
+Top:    af9838055fbc34eb8b44aa085a768b6672e2709a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/string.texi b/manual/string.texi
-index 246be84..6673a61 100644
+index 246be84..b2e97bc 100644
 --- a/manual/string.texi
 +++ b/manual/string.texi
 @@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
@@ -46,3 +46,10 @@ index 246be84..6673a61 100644
  The @code{strcoll} function is similar to @code{strcmp} but uses the
  collating sequence of the current locale for collation (the
  @code{LC_COLLATE} locale).
+@@ -2675,3 +2684,6 @@ being added to @var{envz}, if @var{override} is false.
+ The @code{envz_strip} function removes any null entries from @var{envz},
+ updating @code{*@var{envz}} and @code{*@var{envz_len}}.
+ @end deftypefun
++
++@c FIXME this are undocumented:
++@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=94e29d80265b52207e565e321e9db968c8f4d4c5

commit 94e29d80265b52207e565e321e9db968c8f4d4c5
Merge: 00079d2 142338a 2018a4c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:25:29 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=00079d276278be7620c3c4acf0beeac42a0629be

commit 00079d276278be7620c3c4acf0beeac42a0629be
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:25:29 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 7e591a3..34e5c7f 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 86b252b4e0fd3a5bbbb4389ca245411c5a2b2cab
-Head: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
+Previous: 142338a8020dbd9573ab658ae9e9a337b06fb1b4
+Head: 2018a4c434021a317c4b5853c012d9ca4e1493ea
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,6 +25,7 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
   wip-manual-document-mt-safety-string.patch: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
+  refresh-temp: 2018a4c434021a317c4b5853c012d9ca4e1493ea
 Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd
   wip-manual-document-mt-safety-threads.patch: 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..336d5a4
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,20 @@
+Bottom: 96abc16a5fe1474a4250dc5d84dad1ed6af54a96
+Top:    af9838055fbc34eb8b44aa085a768b6672e2709a
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-22 07:25:28 -0300
+
+Refresh of wip-manual-document-mt-safety-string.patch
+
+---
+
+diff --git a/manual/string.texi b/manual/string.texi
+index 6673a61..b2e97bc 100644
+--- a/manual/string.texi
++++ b/manual/string.texi
+@@ -2684,3 +2684,6 @@ being added to @var{envz}, if @var{override} is false.
+ The @code{envz_strip} function removes any null entries from @var{envz},
+ updating @code{*@var{envz}} and @code{*@var{envz_len}}.
+ @end deftypefun
++
++@c FIXME this are undocumented:
++@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2018a4c434021a317c4b5853c012d9ca4e1493ea

commit 2018a4c434021a317c4b5853c012d9ca4e1493ea
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:25:28 2013 -0300

    Refresh of wip-manual-document-mt-safety-string.patch

diff --git a/manual/string.texi b/manual/string.texi
index 6673a61..b2e97bc 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -2684,3 +2684,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=142338a8020dbd9573ab658ae9e9a337b06fb1b4

commit 142338a8020dbd9573ab658ae9e9a337b06fb1b4
Merge: d59c0ad 86b252b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:24:06 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d59c0ade89a049bd30d8f82e4ca0a4df8e078106

commit d59c0ade89a049bd30d8f82e4ca0a4df8e078106
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:24:05 2013 -0300

    goto

diff --git a/meta b/meta
index 9ad3ef3..7e591a3 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: a6502fa2c6ae71b28a941ce720f4deb7f49677cc
-Head: 0d6b7b87884a1f14a235b23ba098e70a0541225a
+Previous: 86b252b4e0fd3a5bbbb4389ca245411c5a2b2cab
+Head: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,9 +25,9 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
   wip-manual-document-mt-safety-string.patch: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
+Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd
   wip-manual-document-mt-safety-threads.patch: 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
   wip-manual-document-mt-safety-time.patch: 35e818c9626eab6fb53649cf7635ff64427fb5d9
   wip-manual-document-mt-safety-locale.patch: 0d6b7b87884a1f14a235b23ba098e70a0541225a
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=86b252b4e0fd3a5bbbb4389ca245411c5a2b2cab

commit 86b252b4e0fd3a5bbbb4389ca245411c5a2b2cab
Merge: c5d742a a6502fa
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:23:48 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c5d742a23e6380bf8d7bfe7459d9b9401902f305

commit c5d742a23e6380bf8d7bfe7459d9b9401902f305
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:23:48 2013 -0300

    push

diff --git a/meta b/meta
index e0158a5..9ad3ef3 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: a07f90227ed1cdca12cb12c5b0afb9a822e709d3
-Head: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
+Previous: a6502fa2c6ae71b28a941ce720f4deb7f49677cc
+Head: 0d6b7b87884a1f14a235b23ba098e70a0541225a
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,9 +25,9 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
   wip-manual-document-mt-safety-string.patch: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
-Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd
   wip-manual-document-mt-safety-threads.patch: 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
   wip-manual-document-mt-safety-time.patch: 35e818c9626eab6fb53649cf7635ff64427fb5d9
   wip-manual-document-mt-safety-locale.patch: 0d6b7b87884a1f14a235b23ba098e70a0541225a
+Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a6502fa2c6ae71b28a941ce720f4deb7f49677cc

commit a6502fa2c6ae71b28a941ce720f4deb7f49677cc
Merge: a1cd0ed a07f902
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:23:08 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a1cd0ed613a1745dc7e0a5f4197414b10c39ca8c

commit a1cd0ed613a1745dc7e0a5f4197414b10c39ca8c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:23:08 2013 -0300

    goto

diff --git a/meta b/meta
index 1e6d97c..e0158a5 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 8eeba823c9906f1aec640439a3dccdc7dfaa7a47
-Head: 0d6b7b87884a1f14a235b23ba098e70a0541225a
+Previous: a07f90227ed1cdca12cb12c5b0afb9a822e709d3
+Head: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,9 +25,9 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
   wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
   wip-manual-document-mt-safety-string.patch: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
+Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd
   wip-manual-document-mt-safety-threads.patch: 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
   wip-manual-document-mt-safety-time.patch: 35e818c9626eab6fb53649cf7635ff64427fb5d9
   wip-manual-document-mt-safety-locale.patch: 0d6b7b87884a1f14a235b23ba098e70a0541225a
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a07f90227ed1cdca12cb12c5b0afb9a822e709d3

commit a07f90227ed1cdca12cb12c5b0afb9a822e709d3
Merge: 40d9e6d 0d6b7b8 8eeba82
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:23:06 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=40d9e6dab4a7c9697ef9f7f28f233e30ee7bbda9

commit 40d9e6dab4a7c9697ef9f7f28f233e30ee7bbda9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:23:06 2013 -0300

    refresh

diff --git a/meta b/meta
index 7ed8708..1e6d97c 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: cdd0e2b60c1518d66669ee829bead657d1c08da5
-Head: 9121c24301b61d4a8716d05e9726cd768c19ba41
+Previous: 8eeba823c9906f1aec640439a3dccdc7dfaa7a47
+Head: 0d6b7b87884a1f14a235b23ba098e70a0541225a
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -28,7 +28,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd
   wip-manual-document-mt-safety-threads.patch: 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
   wip-manual-document-mt-safety-time.patch: 35e818c9626eab6fb53649cf7635ff64427fb5d9
-  wip-manual-document-mt-safety-locale.patch: a76afadca1a9bb91e89ae6d03785bf81ca328a24
-  refresh-temp: 9121c24301b61d4a8716d05e9726cd768c19ba41
+  wip-manual-document-mt-safety-locale.patch: 0d6b7b87884a1f14a235b23ba098e70a0541225a
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index ebd0b6c..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,31 +0,0 @@
-Bottom: dd2a7c3959e28966b59d46e83be8ee3831b3badd
-Top:    057edc20976415995ffe1c7466b372eee5307111
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-22 07:23:05 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index 7d04c64..fb6de4e 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -243,7 +243,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c  _nl_find_locale
- @c   getenv LC_ALL and LANG envromt
- @c   _nl_load_locale_from_archive
--@c   _nl_expand_alias
-+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
- @c    libc_lock_lock selfdeadlock, lockleak
- @c    bsearch ok
- @c     alias_compare ok
-@@ -266,7 +266,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c   _nl_load_locale
- @c   __gconv_compare_alias
- @c   strndup asmalloc, memleak
--@c   strcasecmp_l (C locale)
-+@c   strcasecmp_l ok (C locale)
- The function @code{setlocale} sets the current locale for category
- @var{category} to @var{locale}.  A list of all the locales the system
- provides can be created by running
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 698f3fa..98bac37 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: 2fa9c7496d316b6dac213c6948024196e3a9ec7a
-Top:    dd2a7c3959e28966b59d46e83be8ee3831b3badd
+Top:    057edc20976415995ffe1c7466b372eee5307111
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..7d04c64 100644
+index 2f10fcd..fb6de4e 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
 @@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
@@ -39,7 +39,7 @@ index 2f10fcd..7d04c64 100644
 +@c  _nl_find_locale
 +@c   getenv LC_ALL and LANG envromt
 +@c   _nl_load_locale_from_archive
-+@c   _nl_expand_alias
++@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
 +@c    libc_lock_lock selfdeadlock, lockleak
 +@c    bsearch ok
 +@c     alias_compare ok
@@ -62,7 +62,7 @@ index 2f10fcd..7d04c64 100644
 +@c   _nl_load_locale
 +@c   __gconv_compare_alias
 +@c   strndup asmalloc, memleak
-+@c   strcasecmp_l (C locale)
++@c   strcasecmp_l ok (C locale)
  The function @code{setlocale} sets the current locale for category
  @var{category} to @var{locale}.  A list of all the locales the system
  provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8eeba823c9906f1aec640439a3dccdc7dfaa7a47

commit 8eeba823c9906f1aec640439a3dccdc7dfaa7a47
Merge: d12445c cdd0e2b 9121c24
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:23:06 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d12445ce5bfab09e942863a068004242bb7e35c8

commit d12445ce5bfab09e942863a068004242bb7e35c8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:23:06 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 552c349..7ed8708 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 2615eff66f58ba2a674c2cd04ce18ea133f75898
-Head: a76afadca1a9bb91e89ae6d03785bf81ca328a24
+Previous: cdd0e2b60c1518d66669ee829bead657d1c08da5
+Head: 9121c24301b61d4a8716d05e9726cd768c19ba41
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
   wip-manual-document-mt-safety-time.patch: 35e818c9626eab6fb53649cf7635ff64427fb5d9
   wip-manual-document-mt-safety-locale.patch: a76afadca1a9bb91e89ae6d03785bf81ca328a24
+  refresh-temp: 9121c24301b61d4a8716d05e9726cd768c19ba41
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..ebd0b6c
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,31 @@
+Bottom: dd2a7c3959e28966b59d46e83be8ee3831b3badd
+Top:    057edc20976415995ffe1c7466b372eee5307111
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-22 07:23:05 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index 7d04c64..fb6de4e 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -243,7 +243,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c  _nl_find_locale
+ @c   getenv LC_ALL and LANG envromt
+ @c   _nl_load_locale_from_archive
+-@c   _nl_expand_alias
++@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+ @c    libc_lock_lock selfdeadlock, lockleak
+ @c    bsearch ok
+ @c     alias_compare ok
+@@ -266,7 +266,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c   _nl_load_locale
+ @c   __gconv_compare_alias
+ @c   strndup asmalloc, memleak
+-@c   strcasecmp_l (C locale)
++@c   strcasecmp_l ok (C locale)
+ The function @code{setlocale} sets the current locale for category
+ @var{category} to @var{locale}.  A list of all the locales the system
+ provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9121c24301b61d4a8716d05e9726cd768c19ba41

commit 9121c24301b61d4a8716d05e9726cd768c19ba41
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:23:05 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index 7d04c64..fb6de4e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -243,7 +243,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c  _nl_find_locale
 @c   getenv LC_ALL and LANG envromt
 @c   _nl_load_locale_from_archive
-@c   _nl_expand_alias
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
 @c    libc_lock_lock selfdeadlock, lockleak
 @c    bsearch ok
 @c     alias_compare ok
@@ -266,7 +266,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c   _nl_load_locale
 @c   __gconv_compare_alias
 @c   strndup asmalloc, memleak
-@c   strcasecmp_l (C locale)
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cdd0e2b60c1518d66669ee829bead657d1c08da5

commit cdd0e2b60c1518d66669ee829bead657d1c08da5
Merge: 4de3f3d 2615eff a76afad
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:46 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4de3f3d9ed63d626a41394eaa377ac72a8f7ba9c

commit 4de3f3d9ed63d626a41394eaa377ac72a8f7ba9c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:46 2013 -0300

    push

diff --git a/meta b/meta
index 30d76a4..552c349 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7ad8fde6572deea2bd8dece20f468f0c0269b03e
-Head: fc558f0f09d7886fab6a27dd914edd28b2e785c0
+Previous: 2615eff66f58ba2a674c2cd04ce18ea133f75898
+Head: a76afadca1a9bb91e89ae6d03785bf81ca328a24
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -22,12 +22,12 @@ Applied:
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-resource.patch: fc558f0f09d7886fab6a27dd914edd28b2e785c0
+  wip-manual-document-mt-safety-startup.patch: fe85266926a3cdc0450318fd07dc476cf7e3a867
+  wip-manual-document-mt-safety-search.patch: d2a32ac036016171fc3833d98a4237ad820c1e57
+  wip-manual-document-mt-safety-string.patch: a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
+  wip-manual-document-mt-safety-terminal.patch: 082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd
+  wip-manual-document-mt-safety-threads.patch: 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
+  wip-manual-document-mt-safety-time.patch: 35e818c9626eab6fb53649cf7635ff64427fb5d9
+  wip-manual-document-mt-safety-locale.patch: a76afadca1a9bb91e89ae6d03785bf81ca328a24
 Unapplied:
-  wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
-  wip-manual-document-mt-safety-search.patch: 34f782743f44b2c627e74a640f2f29309d471b99
-  wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
-  wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383
-  wip-manual-document-mt-safety-threads.patch: 3eac9f8ecd86d5e635fc8a1d1552329d1c47eedb
-  wip-manual-document-mt-safety-time.patch: 99f4367ed4a5684759f98c0a3892814471c5614c
-  wip-manual-document-mt-safety-locale.patch: 6f4e45cf07d6783744862ecdec3b2b869616e82c
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 343894a..698f3fa 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: fe8bad047b580707f9f180cdd7e8d6ae53b04de7
-Top:    455c2ab778a60b1dcb4297adc071869fa6d1b05a
+Bottom: 2fa9c7496d316b6dac213c6948024196e3a9ec7a
+Top:    dd2a7c3959e28966b59d46e83be8ee3831b3badd
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index fee21d1..9f3f3cb 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 6ce35abc40d1550d75f2977d616b3878eeadcd9b
-Top:    32435639dae1b4c2a97e179c96d3885673119e94
+Bottom: 7b5b5d8f990508d27c92e7be27499ab075fcd831
+Top:    84ba7139fbdcfc5f51668f8a5c3e0d2ef1124263
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 34471ed..92fa78a 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 11d1dc9eeba934ab536b2fddf3eb7e4e30268ee3
-Top:    6ce35abc40d1550d75f2977d616b3878eeadcd9b
+Bottom: 287a1605130347164da91db888a4abb2da4313a8
+Top:    7b5b5d8f990508d27c92e7be27499ab075fcd831
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 6e1dac1..3f62e14 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 7c3a36b19e96ca71f5c07915ec0dbf244fd1096d
-Top:    fda3912674c43eb3cfb9ce73f0a0a3895805a9d4
+Bottom: 84ba7139fbdcfc5f51668f8a5c3e0d2ef1124263
+Top:    96abc16a5fe1474a4250dc5d84dad1ed6af54a96
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 162f061..b6bb922 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: fda3912674c43eb3cfb9ce73f0a0a3895805a9d4
-Top:    057d2ee57322c5e4282a657439967073a343503c
+Bottom: 96abc16a5fe1474a4250dc5d84dad1ed6af54a96
+Top:    f5fb28eacd5fb855456f96149f0a3685416ef28f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 0c465c2..23a6f69 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 057d2ee57322c5e4282a657439967073a343503c
-Top:    c17c82ee20bfc86b88263accac9d3e2bbc7e3114
+Bottom: f5fb28eacd5fb855456f96149f0a3685416ef28f
+Top:    78eb6bbe9d1393a8eb05ed604e663d665fba6fe7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index a8d446d..f0e31f9 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: c17c82ee20bfc86b88263accac9d3e2bbc7e3114
-Top:    fe8bad047b580707f9f180cdd7e8d6ae53b04de7
+Bottom: 78eb6bbe9d1393a8eb05ed604e663d665fba6fe7
+Top:    2fa9c7496d316b6dac213c6948024196e3a9ec7a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0d6b7b87884a1f14a235b23ba098e70a0541225a

commit 0d6b7b87884a1f14a235b23ba098e70a0541225a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..fb6de4e 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive
+@c   _nl_expand_alias asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name
+@c   _nl_make_l10nflist
+@c   _nl_load_locale
+@c   __gconv_compare_alias
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l ok (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a76afadca1a9bb91e89ae6d03785bf81ca328a24

commit a76afadca1a9bb91e89ae6d03785bf81ca328a24
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..7d04c64 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive
+@c   _nl_expand_alias
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name
+@c   _nl_make_l10nflist
+@c   _nl_load_locale
+@c   __gconv_compare_alias
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=35e818c9626eab6fb53649cf7635ff64427fb5d9

commit 35e818c9626eab6fb53649cf7635ff64427fb5d9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=244ca703c6f4b5d76aa48f77a3416c1bb61aefec

commit 244ca703c6f4b5d76aa48f77a3416c1bb61aefec
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=eb3c85b71c56902290473a92e6c8f3ffa4852964

commit eb3c85b71c56902290473a92e6c8f3ffa4852964
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..1408033 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -1637,6 +1646,7 @@ This function is a GNU extension.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strchr (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{strchr} function finds the first occurrence of the character
 @var{c} (converted to a @code{char}) in the null-terminated string
 beginning at @var{string}.  The return value is a pointer to the located
@@ -1678,6 +1688,7 @@ to use @code{wcschrnul} in this case, though.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strchrnul (const char *@var{string}, int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{strchrnul} is the same as @code{strchr} except that if it does
 not find the character, it returns a pointer to string's terminating
 null character rather than a null pointer.
@@ -2675,3 +2686,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f837e602ebfa9526f10cd34ce6279699cd6bdf6d

commit f837e602ebfa9526f10cd34ce6279699cd6bdf6d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..b2e97bc 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
@@ -2675,3 +2684,6 @@ being added to @var{envz}, if @var{override} is false.
 The @code{envz_strip} function removes any null entries from @var{envz},
 updating @code{*@var{envz}} and @code{*@var{envz_len}}.
 @end deftypefun
+
+@c FIXME this are undocumented:
+@c strcasecmp_l @safety{@mtsafe{}@assafe{}@acsafe{}} see strcasecmp

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a7c3f473d44754adf4dd8c4a0fd99fa137f9db69

commit a7c3f473d44754adf4dd8c4a0fd99fa137f9db69
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..6673a61 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd

commit 082eb6cee886cbe72d0a07ee2a7aea1d83d3ccdd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d2a32ac036016171fc3833d98a4237ad820c1e57

commit d2a32ac036016171fc3833d98a4237ad820c1e57
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fe85266926a3cdc0450318fd07dc476cf7e3a867

commit fe85266926a3cdc0450318fd07dc476cf7e3a867
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2615eff66f58ba2a674c2cd04ce18ea133f75898

commit 2615eff66f58ba2a674c2cd04ce18ea133f75898
Merge: 82871aa fc558f0 7ad8fde
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:38 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=82871aa67761c235a0487aa0b5d6d879fc3d5601

commit 82871aa67761c235a0487aa0b5d6d879fc3d5601
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:38 2013 -0300

    float

diff --git a/meta b/meta
index ed3faf8..30d76a4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: a5c89a3cc3efb081ead1f5a014b295b47a76476b
-Head: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
+Previous: 7ad8fde6572deea2bd8dece20f468f0c0269b03e
+Head: fc558f0f09d7886fab6a27dd914edd28b2e785c0
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -21,9 +21,9 @@ Applied:
   manual-document-mt-safety-llio.patch: bf5c49825fd31327a529399b2400a6e592bbee3a
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
+  wip-manual-document-mt-safety-resource.patch: fc558f0f09d7886fab6a27dd914edd28b2e785c0
 Unapplied:
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
-  wip-manual-document-mt-safety-resource.patch: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
   wip-manual-document-mt-safety-search.patch: 34f782743f44b2c627e74a640f2f29309d471b99
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
   wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index d7299d1..2b03b87 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 6ce35abc40d1550d75f2977d616b3878eeadcd9b
-Top:    7b5b5d8f990508d27c92e7be27499ab075fcd831
+Bottom: 11d1dc9eeba934ab536b2fddf3eb7e4e30268ee3
+Top:    287a1605130347164da91db888a4abb2da4313a8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fc558f0f09d7886fab6a27dd914edd28b2e785c0

commit fc558f0f09d7886fab6a27dd914edd28b2e785c0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7ad8fde6572deea2bd8dece20f468f0c0269b03e

commit 7ad8fde6572deea2bd8dece20f468f0c0269b03e
Merge: 6cb6f77 a5c89a3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:35 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6cb6f7773bd87093394cc0e6e29f50b7c941833c

commit 6cb6f7773bd87093394cc0e6e29f50b7c941833c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:35 2013 -0300

    pop

diff --git a/meta b/meta
index 8de722b..ed3faf8 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: ad33171bc2776277971723cc706379d250ae9d58
-Head: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
+Previous: a5c89a3cc3efb081ead1f5a014b295b47a76476b
+Head: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -21,9 +21,9 @@ Applied:
   manual-document-mt-safety-llio.patch: bf5c49825fd31327a529399b2400a6e592bbee3a
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
+Unapplied:
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
   wip-manual-document-mt-safety-resource.patch: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
-Unapplied:
   wip-manual-document-mt-safety-search.patch: 34f782743f44b2c627e74a640f2f29309d471b99
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
   wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a5c89a3cc3efb081ead1f5a014b295b47a76476b

commit a5c89a3cc3efb081ead1f5a014b295b47a76476b
Merge: 63f7ae5 ad33171
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:27 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=63f7ae51a949534475ce489633f995b152bfefb6

commit 63f7ae51a949534475ce489633f995b152bfefb6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:27 2013 -0300

    float

diff --git a/meta b/meta
index 28812a7..8de722b 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 07e9fdf024892970154649093ccac69ee57d673a
-Head: 12d50c8632aaee2f0763bb48c0b69349b09022bb
+Previous: ad33171bc2776277971723cc706379d250ae9d58
+Head: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -22,8 +22,8 @@ Applied:
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
-Unapplied:
   wip-manual-document-mt-safety-resource.patch: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
+Unapplied:
   wip-manual-document-mt-safety-search.patch: 34f782743f44b2c627e74a640f2f29309d471b99
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
   wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ad33171bc2776277971723cc706379d250ae9d58

commit ad33171bc2776277971723cc706379d250ae9d58
Merge: 2228cfd 07e9fdf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:25 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2228cfd0e8b76b26ff32fef0c9996a4db86065e9

commit 2228cfd0e8b76b26ff32fef0c9996a4db86065e9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:25 2013 -0300

    pop

diff --git a/meta b/meta
index a5bd006..28812a7 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 982014f3805467e9b2c5b7df8dad4e75c9f31ea8
-Head: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
+Previous: 07e9fdf024892970154649093ccac69ee57d673a
+Head: 12d50c8632aaee2f0763bb48c0b69349b09022bb
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -22,8 +22,8 @@ Applied:
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
-  wip-manual-document-mt-safety-resource.patch: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
 Unapplied:
+  wip-manual-document-mt-safety-resource.patch: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
   wip-manual-document-mt-safety-search.patch: 34f782743f44b2c627e74a640f2f29309d471b99
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
   wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=07e9fdf024892970154649093ccac69ee57d673a

commit 07e9fdf024892970154649093ccac69ee57d673a
Merge: 3a0b725 eb47e54 982014f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:20 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3a0b725e8caabfdc5234de6be2f3ba55d77be297

commit 3a0b725e8caabfdc5234de6be2f3ba55d77be297
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:20 2013 -0300

    float

diff --git a/meta b/meta
index 4e4f4a9..a5bd006 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: fca20470d3621b5a0f7fd2ffff979889c2307fa5
-Head: 12d50c8632aaee2f0763bb48c0b69349b09022bb
+Previous: 982014f3805467e9b2c5b7df8dad4e75c9f31ea8
+Head: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -22,9 +22,9 @@ Applied:
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
+  wip-manual-document-mt-safety-resource.patch: eb47e54bf344d09d6c151a1bd6ea88fa1883c008
 Unapplied:
   wip-manual-document-mt-safety-search.patch: 34f782743f44b2c627e74a640f2f29309d471b99
-  wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
   wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383
   wip-manual-document-mt-safety-threads.patch: 3eac9f8ecd86d5e635fc8a1d1552329d1c47eedb
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 0c22d97..d7299d1 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 7b568eec0398262e28b2443863236ee58c339139
-Top:    7c3a36b19e96ca71f5c07915ec0dbf244fd1096d
+Bottom: 6ce35abc40d1550d75f2977d616b3878eeadcd9b
+Top:    7b5b5d8f990508d27c92e7be27499ab075fcd831
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=eb47e54bf344d09d6c151a1bd6ea88fa1883c008

commit eb47e54bf344d09d6c151a1bd6ea88fa1883c008
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=982014f3805467e9b2c5b7df8dad4e75c9f31ea8

commit 982014f3805467e9b2c5b7df8dad4e75c9f31ea8
Merge: c43a56e fca2047
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:11 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c43a56eb3661dea50f790963f6fa0408c28b0307

commit c43a56eb3661dea50f790963f6fa0408c28b0307
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:11 2013 -0300

    pop

diff --git a/meta b/meta
index c0bc6e4..4e4f4a9 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: c0ca1bdec2c7f9a46efc8569e2e10ab3b52dce6f
-Head: 34f782743f44b2c627e74a640f2f29309d471b99
+Previous: fca20470d3621b5a0f7fd2ffff979889c2307fa5
+Head: 12d50c8632aaee2f0763bb48c0b69349b09022bb
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -22,8 +22,8 @@ Applied:
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
-  wip-manual-document-mt-safety-search.patch: 34f782743f44b2c627e74a640f2f29309d471b99
 Unapplied:
+  wip-manual-document-mt-safety-search.patch: 34f782743f44b2c627e74a640f2f29309d471b99
   wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
   wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fca20470d3621b5a0f7fd2ffff979889c2307fa5

commit fca20470d3621b5a0f7fd2ffff979889c2307fa5
Merge: 133e2fa 34f7827 c0ca1bd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:06 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=133e2fad359acaa8a47e173de700e36a21f48a3c

commit 133e2fad359acaa8a47e173de700e36a21f48a3c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:06 2013 -0300

    refresh

diff --git a/meta b/meta
index 06d59f7..c0bc6e4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 6d4f78851d1ae9836ba6f804e3ca6941bda32c47
-Head: 6e391f1487c209a836a1c1851014437f6ebf4850
+Previous: c0ca1bdec2c7f9a46efc8569e2e10ab3b52dce6f
+Head: 34f782743f44b2c627e74a640f2f29309d471b99
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -22,8 +22,7 @@ Applied:
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
-  wip-manual-document-mt-safety-search.patch: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
-  refresh-temp: 6e391f1487c209a836a1c1851014437f6ebf4850
+  wip-manual-document-mt-safety-search.patch: 34f782743f44b2c627e74a640f2f29309d471b99
 Unapplied:
   wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 7926963..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,21 +0,0 @@
-Bottom: 7b568eec0398262e28b2443863236ee58c339139
-Top:    32435639dae1b4c2a97e179c96d3885673119e94
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-22 07:19:05 -0300
-
-Refresh of wip-manual-document-mt-safety-search.patch
-
----
-
-diff --git a/manual/search.texi b/manual/search.texi
-index 6910edc..46f5f1c 100644
---- a/manual/search.texi
-+++ b/manual/search.texi
-@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
- @comment stdlib.h
- @comment ISO
- @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{bsearch} function searches the sorted array @var{array} for an object
- that is equivalent to @var{key}.  The array contains @var{count} elements,
- each of which is of size @var{size} bytes.
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index e4ddc10..fee21d1 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
 Bottom: 6ce35abc40d1550d75f2977d616b3878eeadcd9b
-Top:    7b568eec0398262e28b2443863236ee58c339139
+Top:    32435639dae1b4c2a97e179c96d3885673119e94
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
@@ -13,10 +13,18 @@ for ChangeLog
 ---
 
 diff --git a/manual/search.texi b/manual/search.texi
-index efd3604..6910edc 100644
+index efd3604..46f5f1c 100644
 --- a/manual/search.texi
 +++ b/manual/search.texi
-@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
+@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{bsearch} function searches the sorted array @var{array} for an object
+ that is equivalent to @var{key}.  The array contains @var{count} elements,
+ each of which is of size @var{size} bytes.
+@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
  @comment stdlib.h
  @comment ISO
  @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
@@ -24,7 +32,7 @@ index efd3604..6910edc 100644
  The @var{qsort} function sorts the array @var{array}.  The array contains
  @var{count} elements, each of which is of size @var{size}.
  
-@@ -436,6 +437,11 @@ in the header file @file{search.h}.
+@@ -436,6 +438,11 @@ in the header file @file{search.h}.
  @comment search.h
  @comment SVID
  @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
@@ -36,7 +44,7 @@ index efd3604..6910edc 100644
  The @code{tsearch} function searches in the tree pointed to by
  @code{*@var{rootp}} for an element matching @var{key}.  The function
  pointed to by @var{compar} is used to determine whether two elements
-@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
+@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
  @comment search.h
  @comment SVID
  @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
@@ -44,7 +52,7 @@ index efd3604..6910edc 100644
  The @code{tfind} function is similar to the @code{tsearch} function.  It
  locates an element matching the one pointed to by @var{key} and returns
  a pointer to this element.  But if no matching element is available no
-@@ -479,6 +486,7 @@ elements.
+@@ -479,6 +487,7 @@ elements.
  @comment search.h
  @comment SVID
  @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
@@ -52,7 +60,7 @@ index efd3604..6910edc 100644
  To remove a specific element matching @var{key} from the tree
  @code{tdelete} can be used.  It locates the matching element using the
  same method as @code{tfind}.  The corresponding element is then removed
-@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
+@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
  @comment search.h
  @comment GNU
  @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
@@ -60,7 +68,7 @@ index efd3604..6910edc 100644
  If the complete search tree has to be removed one can use
  @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
  function to generate the tree pointed to by @var{vroot}.
-@@ -546,6 +555,7 @@ The current node is a leaf.
+@@ -546,6 +556,7 @@ The current node is a leaf.
  @comment search.h
  @comment SVID
  @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c0ca1bdec2c7f9a46efc8569e2e10ab3b52dce6f

commit c0ca1bdec2c7f9a46efc8569e2e10ab3b52dce6f
Merge: 1600648 6d4f788 6e391f1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:06 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1600648c0c791b5f7a566fdf119548a75cff4a50

commit 1600648c0c791b5f7a566fdf119548a75cff4a50
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:06 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 22962b5..06d59f7 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 0fc9a47333c44d45d4df2a45ad4faca5e1227cf1
-Head: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
+Previous: 6d4f78851d1ae9836ba6f804e3ca6941bda32c47
+Head: 6e391f1487c209a836a1c1851014437f6ebf4850
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -23,6 +23,7 @@ Applied:
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
   wip-manual-document-mt-safety-search.patch: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
+  refresh-temp: 6e391f1487c209a836a1c1851014437f6ebf4850
 Unapplied:
   wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..7926963
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,21 @@
+Bottom: 7b568eec0398262e28b2443863236ee58c339139
+Top:    32435639dae1b4c2a97e179c96d3885673119e94
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-22 07:19:05 -0300
+
+Refresh of wip-manual-document-mt-safety-search.patch
+
+---
+
+diff --git a/manual/search.texi b/manual/search.texi
+index 6910edc..46f5f1c 100644
+--- a/manual/search.texi
++++ b/manual/search.texi
+@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{bsearch} function searches the sorted array @var{array} for an object
+ that is equivalent to @var{key}.  The array contains @var{count} elements,
+ each of which is of size @var{size} bytes.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6e391f1487c209a836a1c1851014437f6ebf4850

commit 6e391f1487c209a836a1c1851014437f6ebf4850
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:19:05 2013 -0300

    Refresh of wip-manual-document-mt-safety-search.patch

diff --git a/manual/search.texi b/manual/search.texi
index 6910edc..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6d4f78851d1ae9836ba6f804e3ca6941bda32c47

commit 6d4f78851d1ae9836ba6f804e3ca6941bda32c47
Merge: c52ad6a 0fc9a47
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:18:46 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c52ad6ac983b52c50a47de6fde4694066069691b

commit c52ad6ac983b52c50a47de6fde4694066069691b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:18:46 2013 -0300

    goto

diff --git a/meta b/meta
index 8d69c84..22962b5 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 5d47ec55940837aed05ebf373eebf52dcfdbe477
-Head: 6f4e45cf07d6783744862ecdec3b2b869616e82c
+Previous: 0fc9a47333c44d45d4df2a45ad4faca5e1227cf1
+Head: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -23,11 +23,11 @@ Applied:
   wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
   wip-manual-document-mt-safety-search.patch: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
+Unapplied:
   wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
   wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383
   wip-manual-document-mt-safety-threads.patch: 3eac9f8ecd86d5e635fc8a1d1552329d1c47eedb
   wip-manual-document-mt-safety-time.patch: 99f4367ed4a5684759f98c0a3892814471c5614c
   wip-manual-document-mt-safety-locale.patch: 6f4e45cf07d6783744862ecdec3b2b869616e82c
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0fc9a47333c44d45d4df2a45ad4faca5e1227cf1

commit 0fc9a47333c44d45d4df2a45ad4faca5e1227cf1
Merge: 7044a22 6f4e45c 5d47ec5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:18:28 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7044a22dfe22bc34da1973d13d9b9252e28208fc

commit 7044a22dfe22bc34da1973d13d9b9252e28208fc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:18:28 2013 -0300

    refresh

diff --git a/meta b/meta
index 75cc943..8d69c84 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 1e8d69bddd6bb498797ac5830ad010f603f04e3a
-Head: d04cd019c3c869c6e003da7fc621bdc39a1697fd
+Previous: 5d47ec55940837aed05ebf373eebf52dcfdbe477
+Head: 6f4e45cf07d6783744862ecdec3b2b869616e82c
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -28,7 +28,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383
   wip-manual-document-mt-safety-threads.patch: 3eac9f8ecd86d5e635fc8a1d1552329d1c47eedb
   wip-manual-document-mt-safety-time.patch: 99f4367ed4a5684759f98c0a3892814471c5614c
-  wip-manual-document-mt-safety-locale.patch: 5ec37aadc127410dcee460deadd90b9a14245e01
-  refresh-temp: d04cd019c3c869c6e003da7fc621bdc39a1697fd
+  wip-manual-document-mt-safety-locale.patch: 6f4e45cf07d6783744862ecdec3b2b869616e82c
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 3c85733..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,39 +0,0 @@
-Bottom: c671a873d8dd4fd456cb14f37ccdeda91d0cb41f
-Top:    455c2ab778a60b1dcb4297adc071869fa6d1b05a
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-22 07:18:27 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index 491e802..7d04c64 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -245,10 +245,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c   _nl_load_locale_from_archive
- @c   _nl_expand_alias
- @c    libc_lock_lock selfdeadlock, lockleak
--@c    bsearch
--@c     alias_compare
-+@c    bsearch ok
-+@c     alias_compare ok
- @c      strcasecmp ok
--@c    read_alias_file
-+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
- @c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
- @c     fsetlocking ok
- @c     feof_unlocked ok
-@@ -258,9 +258,9 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c      realloc memleak, asmalloc
- @c     realloc memleak, asmalloc
- @c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
--@c     qsort ok
-+@c     qsort asmalloc, memleak
- @c      alias_compare dup
--@c    libc_lock_unlock
-+@c    libc_lock_unlock lockleak
- @c   _nl_explode_name
- @c   _nl_make_l10nflist
- @c   _nl_load_locale
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index fde5a6a..343894a 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: fe8bad047b580707f9f180cdd7e8d6ae53b04de7
-Top:    c671a873d8dd4fd456cb14f37ccdeda91d0cb41f
+Top:    455c2ab778a60b1dcb4297adc071869fa6d1b05a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..491e802 100644
+index 2f10fcd..7d04c64 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
 @@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
@@ -41,10 +41,10 @@ index 2f10fcd..491e802 100644
 +@c   _nl_load_locale_from_archive
 +@c   _nl_expand_alias
 +@c    libc_lock_lock selfdeadlock, lockleak
-+@c    bsearch
-+@c     alias_compare
++@c    bsearch ok
++@c     alias_compare ok
 +@c      strcasecmp ok
-+@c    read_alias_file
++@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
 +@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
 +@c     fsetlocking ok
 +@c     feof_unlocked ok
@@ -54,9 +54,9 @@ index 2f10fcd..491e802 100644
 +@c      realloc memleak, asmalloc
 +@c     realloc memleak, asmalloc
 +@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
-+@c     qsort ok
++@c     qsort asmalloc, memleak
 +@c      alias_compare dup
-+@c    libc_lock_unlock
++@c    libc_lock_unlock lockleak
 +@c   _nl_explode_name
 +@c   _nl_make_l10nflist
 +@c   _nl_load_locale

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5d47ec55940837aed05ebf373eebf52dcfdbe477

commit 5d47ec55940837aed05ebf373eebf52dcfdbe477
Merge: 77eff0a 1e8d69b d04cd01
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:18:28 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=77eff0a63e30408324c28160c443aa91f4502f30

commit 77eff0a63e30408324c28160c443aa91f4502f30
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:18:28 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 7348036..75cc943 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: ffa0f4b3923d9e070eacb011c9458a02f23e5414
-Head: 5ec37aadc127410dcee460deadd90b9a14245e01
+Previous: 1e8d69bddd6bb498797ac5830ad010f603f04e3a
+Head: d04cd019c3c869c6e003da7fc621bdc39a1697fd
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: 3eac9f8ecd86d5e635fc8a1d1552329d1c47eedb
   wip-manual-document-mt-safety-time.patch: 99f4367ed4a5684759f98c0a3892814471c5614c
   wip-manual-document-mt-safety-locale.patch: 5ec37aadc127410dcee460deadd90b9a14245e01
+  refresh-temp: d04cd019c3c869c6e003da7fc621bdc39a1697fd
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..3c85733
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,39 @@
+Bottom: c671a873d8dd4fd456cb14f37ccdeda91d0cb41f
+Top:    455c2ab778a60b1dcb4297adc071869fa6d1b05a
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-22 07:18:27 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index 491e802..7d04c64 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -245,10 +245,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c   _nl_load_locale_from_archive
+ @c   _nl_expand_alias
+ @c    libc_lock_lock selfdeadlock, lockleak
+-@c    bsearch
+-@c     alias_compare
++@c    bsearch ok
++@c     alias_compare ok
+ @c      strcasecmp ok
+-@c    read_alias_file
++@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+ @c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+ @c     fsetlocking ok
+ @c     feof_unlocked ok
+@@ -258,9 +258,9 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c      realloc memleak, asmalloc
+ @c     realloc memleak, asmalloc
+ @c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+-@c     qsort ok
++@c     qsort asmalloc, memleak
+ @c      alias_compare dup
+-@c    libc_lock_unlock
++@c    libc_lock_unlock lockleak
+ @c   _nl_explode_name
+ @c   _nl_make_l10nflist
+ @c   _nl_load_locale

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d04cd019c3c869c6e003da7fc621bdc39a1697fd

commit d04cd019c3c869c6e003da7fc621bdc39a1697fd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 07:18:27 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index 491e802..7d04c64 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -245,10 +245,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c   _nl_load_locale_from_archive
 @c   _nl_expand_alias
 @c    libc_lock_lock selfdeadlock, lockleak
-@c    bsearch
-@c     alias_compare
+@c    bsearch ok
+@c     alias_compare ok
 @c      strcasecmp ok
-@c    read_alias_file
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
 @c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
 @c     fsetlocking ok
 @c     feof_unlocked ok
@@ -258,9 +258,9 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c      realloc memleak, asmalloc
 @c     realloc memleak, asmalloc
 @c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
-@c     qsort ok
+@c     qsort asmalloc, memleak
 @c      alias_compare dup
-@c    libc_lock_unlock
+@c    libc_lock_unlock lockleak
 @c   _nl_explode_name
 @c   _nl_make_l10nflist
 @c   _nl_load_locale

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6f4e45cf07d6783744862ecdec3b2b869616e82c

commit 6f4e45cf07d6783744862ecdec3b2b869616e82c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..7d04c64 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive
+@c   _nl_expand_alias
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch ok
+@c     alias_compare ok
+@c      strcasecmp ok
+@c    read_alias_file asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort asmalloc, memleak
+@c      alias_compare dup
+@c    libc_lock_unlock lockleak
+@c   _nl_explode_name
+@c   _nl_make_l10nflist
+@c   _nl_load_locale
+@c   __gconv_compare_alias
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1e8d69bddd6bb498797ac5830ad010f603f04e3a

commit 1e8d69bddd6bb498797ac5830ad010f603f04e3a
Merge: 93f018f ffa0f4b 5ec37aa
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:36 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=93f018fcd1cfdee987ed4f92ee29ddf78e8014ab

commit 93f018fcd1cfdee987ed4f92ee29ddf78e8014ab
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:36 2013 -0300

    push

diff --git a/meta b/meta
index 7200bc3..7348036 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: c75984a72f750ab31f6a248a9c24bd231fd4429f
-Head: 1322d0df3da60812c2b42e23710a999109d4b2c8
+Previous: ffa0f4b3923d9e070eacb011c9458a02f23e5414
+Head: 5ec37aadc127410dcee460deadd90b9a14245e01
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,9 +25,9 @@ Applied:
   wip-manual-document-mt-safety-search.patch: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
   wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
   wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
+  wip-manual-document-mt-safety-terminal.patch: f81b15daf3d55fe078f1605002575be2f98d1383
+  wip-manual-document-mt-safety-threads.patch: 3eac9f8ecd86d5e635fc8a1d1552329d1c47eedb
+  wip-manual-document-mt-safety-time.patch: 99f4367ed4a5684759f98c0a3892814471c5614c
+  wip-manual-document-mt-safety-locale.patch: 5ec37aadc127410dcee460deadd90b9a14245e01
 Unapplied:
-  wip-manual-document-mt-safety-terminal.patch: c02af6635e7cc131c702dcff10cfe433c617fad5
-  wip-manual-document-mt-safety-threads.patch: 5bc0ea1ef664f58498315ce61f27703cd001fd35
-  wip-manual-document-mt-safety-time.patch: afdf3f5f5bd3ee6fc4230618b617cd0d4da134ca
-  wip-manual-document-mt-safety-locale.patch: 5eed36e980fee4d5a7bfd909b40fea305e6c0f4b
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 6269b8c..fde5a6a 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 74f665133c21edd612695fb40b609f8bad0baef9
-Top:    e183cf4983754b833aea752d06508ab86b09968d
+Bottom: fe8bad047b580707f9f180cdd7e8d6ae53b04de7
+Top:    c671a873d8dd4fd456cb14f37ccdeda91d0cb41f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 134465f..162f061 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 29300d1844347314806a484be6c071c85ba34bfb
-Top:    a99f3327e38bc078b866e571ab14fe1173fccded
+Bottom: fda3912674c43eb3cfb9ce73f0a0a3895805a9d4
+Top:    057d2ee57322c5e4282a657439967073a343503c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 3f73d01..0c465c2 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: a99f3327e38bc078b866e571ab14fe1173fccded
-Top:    94a334b985bc39aebfecc31bb65b9b8447a71df9
+Bottom: 057d2ee57322c5e4282a657439967073a343503c
+Top:    c17c82ee20bfc86b88263accac9d3e2bbc7e3114
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 6e501e1..a8d446d 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 94a334b985bc39aebfecc31bb65b9b8447a71df9
-Top:    74f665133c21edd612695fb40b609f8bad0baef9
+Bottom: c17c82ee20bfc86b88263accac9d3e2bbc7e3114
+Top:    fe8bad047b580707f9f180cdd7e8d6ae53b04de7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5ec37aadc127410dcee460deadd90b9a14245e01

commit 5ec37aadc127410dcee460deadd90b9a14245e01
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..491e802 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive
+@c   _nl_expand_alias
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch
+@c     alias_compare
+@c      strcasecmp ok
+@c    read_alias_file
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort ok
+@c      alias_compare dup
+@c    libc_lock_unlock
+@c   _nl_explode_name
+@c   _nl_make_l10nflist
+@c   _nl_load_locale
+@c   __gconv_compare_alias
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=99f4367ed4a5684759f98c0a3892814471c5614c

commit 99f4367ed4a5684759f98c0a3892814471c5614c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3eac9f8ecd86d5e635fc8a1d1552329d1c47eedb

commit 3eac9f8ecd86d5e635fc8a1d1552329d1c47eedb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ffa0f4b3923d9e070eacb011c9458a02f23e5414

commit ffa0f4b3923d9e070eacb011c9458a02f23e5414
Merge: 399071d 1322d0d c75984a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:35 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=399071d7d33968c072eb8fcb840fd71c3243ed0a

commit 399071d7d33968c072eb8fcb840fd71c3243ed0a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:35 2013 -0300

    refresh

diff --git a/meta b/meta
index f8be01a..7200bc3 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 65672a533812bb062d5739536cce66e55638fb38
-Head: 668082f1248d37a9887c276bff2c36f593c6ce8b
+Previous: c75984a72f750ab31f6a248a9c24bd231fd4429f
+Head: 1322d0df3da60812c2b42e23710a999109d4b2c8
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -24,8 +24,7 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
   wip-manual-document-mt-safety-search.patch: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
   wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
-  wip-manual-document-mt-safety-string.patch: 7441ccb3ac0c3fd1cd2735d24268ed21182e3a77
-  refresh-temp: 668082f1248d37a9887c276bff2c36f593c6ce8b
+  wip-manual-document-mt-safety-string.patch: 1322d0df3da60812c2b42e23710a999109d4b2c8
 Unapplied:
   wip-manual-document-mt-safety-terminal.patch: c02af6635e7cc131c702dcff10cfe433c617fad5
   wip-manual-document-mt-safety-threads.patch: 5bc0ea1ef664f58498315ce61f27703cd001fd35
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 4f8b9cf..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,25 +0,0 @@
-Bottom: 29300d1844347314806a484be6c071c85ba34bfb
-Top:    fda3912674c43eb3cfb9ce73f0a0a3895805a9d4
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-22 06:46:35 -0300
-
-Refresh of wip-manual-document-mt-safety-string.patch
-
----
-
-diff --git a/manual/string.texi b/manual/string.texi
-index a75d298..6673a61 100644
---- a/manual/string.texi
-+++ b/manual/string.texi
-@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
- @comment string.h
- @comment BSD
- @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Although this calls tolower multiple times, it's a macro, and
-+@c strcasecmp is optimized so that the locale pointer is read only once.
-+@c There are some asm implementations too, for which the single-read
-+@c from locale TLS pointers also applies.
- This function is like @code{strcmp}, except that differences in case are
- ignored.  How uppercase and lowercase characters are related is
- determined by the currently selected locale.  In the standard @code{"C"}
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index c14cc77..6e1dac1 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
 Bottom: 7c3a36b19e96ca71f5c07915ec0dbf244fd1096d
-Top:    29300d1844347314806a484be6c071c85ba34bfb
+Top:    fda3912674c43eb3cfb9ce73f0a0a3895805a9d4
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
@@ -13,10 +13,22 @@ for ChangeLog
 ---
 
 diff --git a/manual/string.texi b/manual/string.texi
-index 246be84..a75d298 100644
+index 246be84..6673a61 100644
 --- a/manual/string.texi
 +++ b/manual/string.texi
-@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
+@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
+ @comment string.h
+ @comment BSD
+ @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Although this calls tolower multiple times, it's a macro, and
++@c strcasecmp is optimized so that the locale pointer is read only once.
++@c There are some asm implementations too, for which the single-read
++@c from locale TLS pointers also applies.
+ This function is like @code{strcmp}, except that differences in case are
+ ignored.  How uppercase and lowercase characters are related is
+ determined by the currently selected locale.  In the standard @code{"C"}
+@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
  @comment string.h
  @comment GNU
  @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
@@ -25,7 +37,7 @@ index 246be84..a75d298 100644
  The @code{strverscmp} function compares the string @var{s1} against
  @var{s2}, considering them as holding indices/version numbers.  The
  return value follows the same conventions as found in the
-@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
+@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
  @comment string.h
  @comment ISO
  @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f81b15daf3d55fe078f1605002575be2f98d1383

commit f81b15daf3d55fe078f1605002575be2f98d1383
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c75984a72f750ab31f6a248a9c24bd231fd4429f

commit c75984a72f750ab31f6a248a9c24bd231fd4429f
Merge: 19b679d 65672a5 668082f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:35 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=19b679df15a1ba81627984037e60bbd03281b2b0

commit 19b679df15a1ba81627984037e60bbd03281b2b0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:35 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index e2fa3cc..f8be01a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 782f16be9b7b2063145c7e6674c7899c0ce44b1d
-Head: 7441ccb3ac0c3fd1cd2735d24268ed21182e3a77
+Previous: 65672a533812bb062d5739536cce66e55638fb38
+Head: 668082f1248d37a9887c276bff2c36f593c6ce8b
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,6 +25,7 @@ Applied:
   wip-manual-document-mt-safety-search.patch: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
   wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
   wip-manual-document-mt-safety-string.patch: 7441ccb3ac0c3fd1cd2735d24268ed21182e3a77
+  refresh-temp: 668082f1248d37a9887c276bff2c36f593c6ce8b
 Unapplied:
   wip-manual-document-mt-safety-terminal.patch: c02af6635e7cc131c702dcff10cfe433c617fad5
   wip-manual-document-mt-safety-threads.patch: 5bc0ea1ef664f58498315ce61f27703cd001fd35
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..4f8b9cf
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,25 @@
+Bottom: 29300d1844347314806a484be6c071c85ba34bfb
+Top:    fda3912674c43eb3cfb9ce73f0a0a3895805a9d4
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-22 06:46:35 -0300
+
+Refresh of wip-manual-document-mt-safety-string.patch
+
+---
+
+diff --git a/manual/string.texi b/manual/string.texi
+index a75d298..6673a61 100644
+--- a/manual/string.texi
++++ b/manual/string.texi
+@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
+ @comment string.h
+ @comment BSD
+ @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Although this calls tolower multiple times, it's a macro, and
++@c strcasecmp is optimized so that the locale pointer is read only once.
++@c There are some asm implementations too, for which the single-read
++@c from locale TLS pointers also applies.
+ This function is like @code{strcmp}, except that differences in case are
+ ignored.  How uppercase and lowercase characters are related is
+ determined by the currently selected locale.  In the standard @code{"C"}

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=668082f1248d37a9887c276bff2c36f593c6ce8b

commit 668082f1248d37a9887c276bff2c36f593c6ce8b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:35 2013 -0300

    Refresh of wip-manual-document-mt-safety-string.patch

diff --git a/manual/string.texi b/manual/string.texi
index a75d298..6673a61 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=65672a533812bb062d5739536cce66e55638fb38

commit 65672a533812bb062d5739536cce66e55638fb38
Merge: badaa5d 782f16b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:24 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=badaa5d2fe565121a9b42bd4cc9be8feebf24526

commit badaa5d2fe565121a9b42bd4cc9be8feebf24526
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:24 2013 -0300

    goto

diff --git a/meta b/meta
index 78e0b5a..e2fa3cc 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 825aa89c03cbc714bebc54c55a9f80674ec3d947
-Head: 5eed36e980fee4d5a7bfd909b40fea305e6c0f4b
+Previous: 782f16be9b7b2063145c7e6674c7899c0ce44b1d
+Head: 7441ccb3ac0c3fd1cd2735d24268ed21182e3a77
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -25,9 +25,9 @@ Applied:
   wip-manual-document-mt-safety-search.patch: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
   wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
   wip-manual-document-mt-safety-string.patch: 7441ccb3ac0c3fd1cd2735d24268ed21182e3a77
+Unapplied:
   wip-manual-document-mt-safety-terminal.patch: c02af6635e7cc131c702dcff10cfe433c617fad5
   wip-manual-document-mt-safety-threads.patch: 5bc0ea1ef664f58498315ce61f27703cd001fd35
   wip-manual-document-mt-safety-time.patch: afdf3f5f5bd3ee6fc4230618b617cd0d4da134ca
   wip-manual-document-mt-safety-locale.patch: 5eed36e980fee4d5a7bfd909b40fea305e6c0f4b
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=782f16be9b7b2063145c7e6674c7899c0ce44b1d

commit 782f16be9b7b2063145c7e6674c7899c0ce44b1d
Merge: 48deea9 5eed36e 825aa89
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:21 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=48deea9e4ae2ef1dfec92891ddc37590bc1620d2

commit 48deea9e4ae2ef1dfec92891ddc37590bc1620d2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:21 2013 -0300

    refresh

diff --git a/meta b/meta
index d97177b..78e0b5a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 1628f8d30114c6bb2ba4ff7eb1687c17af8c3ab5
-Head: bc8a51645a8715faaa5a318ab1f4c4c4f509b88c
+Previous: 825aa89c03cbc714bebc54c55a9f80674ec3d947
+Head: 5eed36e980fee4d5a7bfd909b40fea305e6c0f4b
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -28,7 +28,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: c02af6635e7cc131c702dcff10cfe433c617fad5
   wip-manual-document-mt-safety-threads.patch: 5bc0ea1ef664f58498315ce61f27703cd001fd35
   wip-manual-document-mt-safety-time.patch: afdf3f5f5bd3ee6fc4230618b617cd0d4da134ca
-  wip-manual-document-mt-safety-locale.patch: 422aa76fa083b6e69ae5ed04429e32a406c7ec93
-  refresh-temp: bc8a51645a8715faaa5a318ab1f4c4c4f509b88c
+  wip-manual-document-mt-safety-locale.patch: 5eed36e980fee4d5a7bfd909b40fea305e6c0f4b
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 445d4bb..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,62 +0,0 @@
-Bottom: 7003967eaf771392ad1c6c6f996ace42ab8190e3
-Top:    e183cf4983754b833aea752d06508ab86b09968d
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-22 06:46:20 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index 60e08d8..491e802 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -229,11 +229,44 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c ought to be MT-Safe, so we're ruling out the use of this function
- @c once threads are started.  It takes a write lock itself, but it may
- @c return a pointer loaded from the global locale object after releasing
--@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
--@c and free, and _nl_find_locale, which amount to all documented safety
--@c issues.  It also calls new_composite_name, setdata, and setname,
--@c without any additional issues.  _nl_find_locale calls getenv, ...
-+@c the lock, or before taking it.
- @c This function returns a pointer read...
-+@c setlocale
-+@c  libc_rwlock_wrlock selfdeadlock, lockleak
-+@c  libc_rwlock_unlock lockleak
-+@c  getenv LOCPATH envromt
-+@c  malloc asmalloc, memleak
-+@c  free asmalloc, memleak
-+@c  new_composite_name ok
-+@c  setdata ok
-+@c  setname ok
-+@c  _nl_find_locale
-+@c   getenv LC_ALL and LANG envromt
-+@c   _nl_load_locale_from_archive
-+@c   _nl_expand_alias
-+@c    libc_lock_lock selfdeadlock, lockleak
-+@c    bsearch
-+@c     alias_compare
-+@c      strcasecmp ok
-+@c    read_alias_file
-+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
-+@c     fsetlocking ok
-+@c     feof_unlocked ok
-+@c     fgets_unlocked ok
-+@c     isspace ok (locale mutex is locked)
-+@c     extend_alias_table memleak, asmalloc
-+@c      realloc memleak, asmalloc
-+@c     realloc memleak, asmalloc
-+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
-+@c     qsort ok
-+@c      alias_compare dup
-+@c    libc_lock_unlock
-+@c   _nl_explode_name
-+@c   _nl_make_l10nflist
-+@c   _nl_load_locale
-+@c   __gconv_compare_alias
-+@c   strndup asmalloc, memleak
-+@c   strcasecmp_l (C locale)
- The function @code{setlocale} sets the current locale for category
- @var{category} to @var{locale}.  A list of all the locales the system
- provides can be created by running
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index b760385..6269b8c 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: 74f665133c21edd612695fb40b609f8bad0baef9
-Top:    7003967eaf771392ad1c6c6f996ace42ab8190e3
+Top:    e183cf4983754b833aea752d06508ab86b09968d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
@@ -13,10 +13,10 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..60e08d8 100644
+index 2f10fcd..491e802 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
-@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
+@@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
  @comment locale.h
  @comment ISO
  @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
@@ -25,11 +25,44 @@ index 2f10fcd..60e08d8 100644
 +@c ought to be MT-Safe, so we're ruling out the use of this function
 +@c once threads are started.  It takes a write lock itself, but it may
 +@c return a pointer loaded from the global locale object after releasing
-+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
-+@c and free, and _nl_find_locale, which amount to all documented safety
-+@c issues.  It also calls new_composite_name, setdata, and setname,
-+@c without any additional issues.  _nl_find_locale calls getenv, ...
++@c the lock, or before taking it.
 +@c This function returns a pointer read...
++@c setlocale
++@c  libc_rwlock_wrlock selfdeadlock, lockleak
++@c  libc_rwlock_unlock lockleak
++@c  getenv LOCPATH envromt
++@c  malloc asmalloc, memleak
++@c  free asmalloc, memleak
++@c  new_composite_name ok
++@c  setdata ok
++@c  setname ok
++@c  _nl_find_locale
++@c   getenv LC_ALL and LANG envromt
++@c   _nl_load_locale_from_archive
++@c   _nl_expand_alias
++@c    libc_lock_lock selfdeadlock, lockleak
++@c    bsearch
++@c     alias_compare
++@c      strcasecmp ok
++@c    read_alias_file
++@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
++@c     fsetlocking ok
++@c     feof_unlocked ok
++@c     fgets_unlocked ok
++@c     isspace ok (locale mutex is locked)
++@c     extend_alias_table memleak, asmalloc
++@c      realloc memleak, asmalloc
++@c     realloc memleak, asmalloc
++@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
++@c     qsort ok
++@c      alias_compare dup
++@c    libc_lock_unlock
++@c   _nl_explode_name
++@c   _nl_make_l10nflist
++@c   _nl_load_locale
++@c   __gconv_compare_alias
++@c   strndup asmalloc, memleak
++@c   strcasecmp_l (C locale)
  The function @code{setlocale} sets the current locale for category
  @var{category} to @var{locale}.  A list of all the locales the system
  provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=825aa89c03cbc714bebc54c55a9f80674ec3d947

commit 825aa89c03cbc714bebc54c55a9f80674ec3d947
Merge: da4bbd9 1628f8d bc8a516
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:20 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=da4bbd9845abdd09765a6859cabd54e1e67070c0

commit da4bbd9845abdd09765a6859cabd54e1e67070c0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:20 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index f232616..d97177b 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 85c9005a07f05ad8d6d9f97158cb3e3292b0e989
-Head: 422aa76fa083b6e69ae5ed04429e32a406c7ec93
+Previous: 1628f8d30114c6bb2ba4ff7eb1687c17af8c3ab5
+Head: bc8a51645a8715faaa5a318ab1f4c4c4f509b88c
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: 5bc0ea1ef664f58498315ce61f27703cd001fd35
   wip-manual-document-mt-safety-time.patch: afdf3f5f5bd3ee6fc4230618b617cd0d4da134ca
   wip-manual-document-mt-safety-locale.patch: 422aa76fa083b6e69ae5ed04429e32a406c7ec93
+  refresh-temp: bc8a51645a8715faaa5a318ab1f4c4c4f509b88c
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..445d4bb
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,62 @@
+Bottom: 7003967eaf771392ad1c6c6f996ace42ab8190e3
+Top:    e183cf4983754b833aea752d06508ab86b09968d
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-22 06:46:20 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index 60e08d8..491e802 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -229,11 +229,44 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c ought to be MT-Safe, so we're ruling out the use of this function
+ @c once threads are started.  It takes a write lock itself, but it may
+ @c return a pointer loaded from the global locale object after releasing
+-@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+-@c and free, and _nl_find_locale, which amount to all documented safety
+-@c issues.  It also calls new_composite_name, setdata, and setname,
+-@c without any additional issues.  _nl_find_locale calls getenv, ...
++@c the lock, or before taking it.
+ @c This function returns a pointer read...
++@c setlocale
++@c  libc_rwlock_wrlock selfdeadlock, lockleak
++@c  libc_rwlock_unlock lockleak
++@c  getenv LOCPATH envromt
++@c  malloc asmalloc, memleak
++@c  free asmalloc, memleak
++@c  new_composite_name ok
++@c  setdata ok
++@c  setname ok
++@c  _nl_find_locale
++@c   getenv LC_ALL and LANG envromt
++@c   _nl_load_locale_from_archive
++@c   _nl_expand_alias
++@c    libc_lock_lock selfdeadlock, lockleak
++@c    bsearch
++@c     alias_compare
++@c      strcasecmp ok
++@c    read_alias_file
++@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
++@c     fsetlocking ok
++@c     feof_unlocked ok
++@c     fgets_unlocked ok
++@c     isspace ok (locale mutex is locked)
++@c     extend_alias_table memleak, asmalloc
++@c      realloc memleak, asmalloc
++@c     realloc memleak, asmalloc
++@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
++@c     qsort ok
++@c      alias_compare dup
++@c    libc_lock_unlock
++@c   _nl_explode_name
++@c   _nl_make_l10nflist
++@c   _nl_load_locale
++@c   __gconv_compare_alias
++@c   strndup asmalloc, memleak
++@c   strcasecmp_l (C locale)
+ The function @code{setlocale} sets the current locale for category
+ @var{category} to @var{locale}.  A list of all the locales the system
+ provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bc8a51645a8715faaa5a318ab1f4c4c4f509b88c

commit bc8a51645a8715faaa5a318ab1f4c4c4f509b88c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Thu Aug 22 06:46:20 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index 60e08d8..491e802 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -229,11 +229,44 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c ought to be MT-Safe, so we're ruling out the use of this function
 @c once threads are started.  It takes a write lock itself, but it may
 @c return a pointer loaded from the global locale object after releasing
-@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
-@c and free, and _nl_find_locale, which amount to all documented safety
-@c issues.  It also calls new_composite_name, setdata, and setname,
-@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c the lock, or before taking it.
 @c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive
+@c   _nl_expand_alias
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch
+@c     alias_compare
+@c      strcasecmp ok
+@c    read_alias_file
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort ok
+@c      alias_compare dup
+@c    libc_lock_unlock
+@c   _nl_explode_name
+@c   _nl_make_l10nflist
+@c   _nl_load_locale
+@c   __gconv_compare_alias
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1628f8d30114c6bb2ba4ff7eb1687c17af8c3ab5

commit 1628f8d30114c6bb2ba4ff7eb1687c17af8c3ab5
Merge: 74c095d 422aa76 85c9005
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 03:57:44 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=74c095dac0290878ba154cdc2c1815850ae25dcc

commit 74c095dac0290878ba154cdc2c1815850ae25dcc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 03:57:44 2013 -0300

    float

diff --git a/meta b/meta
index bd54f4f..f232616 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: aa465b0085f4d4bc6523c446f7ce6870227c8992
-Head: c759555d9d5560131f6dc67be34fa2ae51f54c4f
+Previous: 85c9005a07f05ad8d6d9f97158cb3e3292b0e989
+Head: 422aa76fa083b6e69ae5ed04429e32a406c7ec93
 Applied:
   unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
   remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
@@ -20,14 +20,14 @@ Applied:
   manual-document-mt-safety-lang.patch: df244861d2cc8225a441c53b523f53150727ae62
   manual-document-mt-safety-llio.patch: bf5c49825fd31327a529399b2400a6e592bbee3a
   manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
-  wip-manual-document-mt-safety-locale.patch: 0c975e33c4db3c285d4144bd8fa8ab684c8b500a
-  wip-manual-document-mt-safety-math.patch: 0ded06d761bd842d9d7f6ab9473b5af3789e20e2
-  wip-manual-document-mt-safety-startup.patch: 93ca5fa817ae6dc3d50a6990be8ae64d8b398e83
-  wip-manual-document-mt-safety-search.patch: 2f91898f8002f8d61d9aad3c436468301513d49e
-  wip-manual-document-mt-safety-resource.patch: 56296c84c59e84bc5a577f60252a3bca4e57944d
-  wip-manual-document-mt-safety-string.patch: b16c3cb1e8fe3228f39d484598829d52e8b9ac43
-  wip-manual-document-mt-safety-terminal.patch: cfab792fb4bc046f3274734d629c29d86856ef28
-  wip-manual-document-mt-safety-threads.patch: 97ee1ff6ce212b9a9a750393c65224d306fb2ddd
-  wip-manual-document-mt-safety-time.patch: c759555d9d5560131f6dc67be34fa2ae51f54c4f
+  wip-manual-document-mt-safety-math.patch: 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
+  wip-manual-document-mt-safety-startup.patch: 12d50c8632aaee2f0763bb48c0b69349b09022bb
+  wip-manual-document-mt-safety-search.patch: 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
+  wip-manual-document-mt-safety-resource.patch: 561ca151dcd427e997cb452b8d6aad6b2e251fc7
+  wip-manual-document-mt-safety-string.patch: 7441ccb3ac0c3fd1cd2735d24268ed21182e3a77
+  wip-manual-document-mt-safety-terminal.patch: c02af6635e7cc131c702dcff10cfe433c617fad5
+  wip-manual-document-mt-safety-threads.patch: 5bc0ea1ef664f58498315ce61f27703cd001fd35
+  wip-manual-document-mt-safety-time.patch: afdf3f5f5bd3ee6fc4230618b617cd0d4da134ca
+  wip-manual-document-mt-safety-locale.patch: 422aa76fa083b6e69ae5ed04429e32a406c7ec93
 Unapplied:
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 8156a4d..b760385 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: e50028beb84ad6b675a13f914ea7f6020b0041fb
-Top:    478b5a9511d73300038688d295275adc008791fb
+Bottom: 74f665133c21edd612695fb40b609f8bad0baef9
+Top:    7003967eaf771392ad1c6c6f996ace42ab8190e3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index cbdf2ce..b7ef137 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 478b5a9511d73300038688d295275adc008791fb
-Top:    c1f6d017ec3215a105705280d9d4e90b49cdb2fc
+Bottom: e50028beb84ad6b675a13f914ea7f6020b0041fb
+Top:    11d1dc9eeba934ab536b2fddf3eb7e4e30268ee3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index b4ba175..0c22d97 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: feea6b866c2cad47f44d83b24583aeb2e3dc5922
-Top:    be3798257ab5eb1ffac51f5230137a50fabd0331
+Bottom: 7b568eec0398262e28b2443863236ee58c339139
+Top:    7c3a36b19e96ca71f5c07915ec0dbf244fd1096d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index eb03a10..e4ddc10 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 30385e4571775728259c071ac811cf24231bbe2a
-Top:    feea6b866c2cad47f44d83b24583aeb2e3dc5922
+Bottom: 6ce35abc40d1550d75f2977d616b3878eeadcd9b
+Top:    7b568eec0398262e28b2443863236ee58c339139
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 57fda05..34471ed 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: c1f6d017ec3215a105705280d9d4e90b49cdb2fc
-Top:    30385e4571775728259c071ac811cf24231bbe2a
+Bottom: 11d1dc9eeba934ab536b2fddf3eb7e4e30268ee3
+Top:    6ce35abc40d1550d75f2977d616b3878eeadcd9b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:08 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index b13b758..c14cc77 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: be3798257ab5eb1ffac51f5230137a50fabd0331
-Top:    4d99d3f848a2d2a8839afeb505c973845383e8bb
+Bottom: 7c3a36b19e96ca71f5c07915ec0dbf244fd1096d
+Top:    29300d1844347314806a484be6c071c85ba34bfb
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 5b29c79..134465f 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 4d99d3f848a2d2a8839afeb505c973845383e8bb
-Top:    47b6d76e85ffcec042abbf52e9b26155224ed476
+Bottom: 29300d1844347314806a484be6c071c85ba34bfb
+Top:    a99f3327e38bc078b866e571ab14fe1173fccded
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:09 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index c0d9e8f..3f73d01 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 47b6d76e85ffcec042abbf52e9b26155224ed476
-Top:    2282fda35139be6d25c267fb0f30abf6184f3b6d
+Bottom: a99f3327e38bc078b866e571ab14fe1173fccded
+Top:    94a334b985bc39aebfecc31bb65b9b8447a71df9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index fdb728f..6e501e1 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 2282fda35139be6d25c267fb0f30abf6184f3b6d
-Top:    7003967eaf771392ad1c6c6f996ace42ab8190e3
+Bottom: 94a334b985bc39aebfecc31bb65b9b8447a71df9
+Top:    74f665133c21edd612695fb40b609f8bad0baef9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-17 01:25:10 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=16ea0003407bdc31e8ec8dfe869a8b7692eb8d00

commit 16ea0003407bdc31e8ec8dfe869a8b7692eb8d00
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=12d50c8632aaee2f0763bb48c0b69349b09022bb

commit 12d50c8632aaee2f0763bb48c0b69349b09022bb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=34f782743f44b2c627e74a640f2f29309d471b99

commit 34f782743f44b2c627e74a640f2f29309d471b99
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..46f5f1c 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -113,6 +113,7 @@ the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {void *} bsearch (const void *@var{key}, const void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{bsearch} function searches the sorted array @var{array} for an object
 that is equivalent to @var{key}.  The array contains @var{count} elements,
 each of which is of size @var{size} bytes.
@@ -146,6 +147,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +438,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +472,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +487,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +501,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +556,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3b7789f2efb618f9cdc9cb4e3be46d1670660fc3

commit 3b7789f2efb618f9cdc9cb4e3be46d1670660fc3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1322d0df3da60812c2b42e23710a999109d4b2c8

commit 1322d0df3da60812c2b42e23710a999109d4b2c8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..6673a61 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1159,6 +1159,11 @@ strings are written in into account.  To get that one has to use
 @comment string.h
 @comment BSD
 @deftypefun int strcasecmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Although this calls tolower multiple times, it's a macro, and
+@c strcasecmp is optimized so that the locale pointer is read only once.
+@c There are some asm implementations too, for which the single-read
+@c from locale TLS pointers also applies.
 This function is like @code{strcmp}, except that differences in case are
 ignored.  How uppercase and lowercase characters are related is
 determined by the currently selected locale.  In the standard @code{"C"}
@@ -1247,6 +1252,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1350,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7441ccb3ac0c3fd1cd2735d24268ed21182e3a77

commit 7441ccb3ac0c3fd1cd2735d24268ed21182e3a77
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5eed36e980fee4d5a7bfd909b40fea305e6c0f4b

commit 5eed36e980fee4d5a7bfd909b40fea305e6c0f4b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..491e802 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,49 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.
+@c This function returns a pointer read...
+@c setlocale
+@c  libc_rwlock_wrlock selfdeadlock, lockleak
+@c  libc_rwlock_unlock lockleak
+@c  getenv LOCPATH envromt
+@c  malloc asmalloc, memleak
+@c  free asmalloc, memleak
+@c  new_composite_name ok
+@c  setdata ok
+@c  setname ok
+@c  _nl_find_locale
+@c   getenv LC_ALL and LANG envromt
+@c   _nl_load_locale_from_archive
+@c   _nl_expand_alias
+@c    libc_lock_lock selfdeadlock, lockleak
+@c    bsearch
+@c     alias_compare
+@c      strcasecmp ok
+@c    read_alias_file
+@c     fopen asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     fsetlocking ok
+@c     feof_unlocked ok
+@c     fgets_unlocked ok
+@c     isspace ok (locale mutex is locked)
+@c     extend_alias_table memleak, asmalloc
+@c      realloc memleak, asmalloc
+@c     realloc memleak, asmalloc
+@c     fclose asmalloc, selfdeadlock, memleak, fdleak, lockleak
+@c     qsort ok
+@c      alias_compare dup
+@c    libc_lock_unlock
+@c   _nl_explode_name
+@c   _nl_make_l10nflist
+@c   _nl_load_locale
+@c   __gconv_compare_alias
+@c   strndup asmalloc, memleak
+@c   strcasecmp_l (C locale)
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=422aa76fa083b6e69ae5ed04429e32a406c7ec93

commit 422aa76fa083b6e69ae5ed04429e32a406c7ec93
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=561ca151dcd427e997cb452b8d6aad6b2e251fc7

commit 561ca151dcd427e997cb452b8d6aad6b2e251fc7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=afdf3f5f5bd3ee6fc4230618b617cd0d4da134ca

commit afdf3f5f5bd3ee6fc4230618b617cd0d4da134ca
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5bc0ea1ef664f58498315ce61f27703cd001fd35

commit 5bc0ea1ef664f58498315ce61f27703cd001fd35
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c02af6635e7cc131c702dcff10cfe433c617fad5

commit c02af6635e7cc131c702dcff10cfe433c617fad5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=85c9005a07f05ad8d6d9f97158cb3e3292b0e989

commit 85c9005a07f05ad8d6d9f97158cb3e3292b0e989
Merge: 8d29f38 c759555 aa465b0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:20 2013 -0300

    delete


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8d29f38671b539e845cef7399e5421978714ef8a

commit 8d29f38671b539e845cef7399e5421978714ef8a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:20 2013 -0300

    delete

diff --git a/meta b/meta
index 941fdda..bd54f4f 100644
--- a/meta
+++ b/meta
@@ -1,34 +1,33 @@
 Version: 1
-Previous: 84b2959a1ba1806e2e666a90f9c9442950056937
-Head: 25a9ae1821970d7d17f86df0dbd323fe7776461b
+Previous: aa465b0085f4d4bc6523c446f7ce6870227c8992
+Head: c759555d9d5560131f6dc67be34fa2ae51f54c4f
 Applied:
-  powerpc-nofpu-sim-note-nothread.patch: 525ab96dd43fa6cf5d4f972271afec8d0c64c034
-  unused-scalb-is-scalbn.patch: 3c6c7a24be0a9b65939e04e9200cffa361848c4b
-  remove-sysdeps-ieee754-support.patch: 7b1263abc965a873a51d0f7b02987d8e3d6cf471
-  manual-document-mt-safety.patch: caa55786752ded57d80b3809700b9e5183af21ae
-  manual-document-mt-safety-argp.patch: 017da8adde97bccd79ab19b6d1175cfc9412a565
-  manual-document-mt-safety-arith.patch: c6564bb231120b06f93702c9956c90a57546222e
-  manual-document-mt-safety-charset.patch: 07dd04c5b4a440663c1751a1f38b09b33ab7f8af
-  manual-document-mt-safety-conf.patch: 134d875cb9e454a8243ac2ca8d0bd3d42f0252dc
-  manual-document-mt-safety-crypt.patch: 2069aec79bc11c99cf3e664d9042d76a7118bb88
-  manual-document-mt-safety-ctype.patch: 9945d2535a48b19f85206a5f18b4b15153af2597
-  manual-document-mt-safety-debug.patch: 7d2a9a7113f6aa3b14c1d75181c57c699cb3ccd1
-  manual-document-mt-safety-errno.patch: d9f4ac37690ac779579d891dd9ac2ea37b14a531
-  manual-document-mt-safety-filesys.patch: 392b19a1b6f9dc1268555fd513182d9ddc27977b
-  manual-document-mt-safety-getopt.patch: 5c951f02d9782d9ce3468def9b0a29015d11b31c
-  manual-document-mt-safety-libdl.patch: 695e13261917a34ed17d39bf7c68f612aeb53cab
-  manual-document-mt-safety-job.patch: 065671cbe43b4e8324ec30134b735b72b0a27a7d
-  manual-document-mt-safety-lang.patch: 16740ea74dca049974ec07baa32d1cd26c4642a9
-  manual-document-mt-safety-llio.patch: 184090294f40be1dea2c49ae667629f5513f2c25
-  manual-document-mt-safety-stdio.patch: 7b0a54addcada9b13059cdb0d03cf3fe0412f16d
-  wip-manual-document-mt-safety-locale.patch: 7555b069c35687dd895740205bfdf2241db9c6f3
-  wip-manual-document-mt-safety-math.patch: 1b4a6693b25118e662810d8480caa5189fdae82b
-  wip-manual-document-mt-safety-startup.patch: 4ca19b6ad7173d7b6694a135af31417639b5e2dc
-  wip-manual-document-mt-safety-search.patch: bfd482670800eebaa127193ef59428e7af3cfa1e
-  wip-manual-document-mt-safety-resource.patch: b46f5e4463116cb679a7e90d6fd7ea80e2a239db
-  wip-manual-document-mt-safety-string.patch: 5388cbb52e6f25c810d8c7c1e9d9cbb58945784e
-  wip-manual-document-mt-safety-terminal.patch: 1dbe8f76713dfcffe1af611cbe9a6054fed93484
-  wip-manual-document-mt-safety-threads.patch: 2e4662897991d33b3915b73cd23c5c140fd12c6e
-  wip-manual-document-mt-safety-time.patch: 25a9ae1821970d7d17f86df0dbd323fe7776461b
+  unused-scalb-is-scalbn.patch: 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
+  remove-sysdeps-ieee754-support.patch: fe6a5807692b034fba404bbe03d68929933eb91f
+  manual-document-mt-safety.patch: cfd5bbe11be81bd19bd894478f09f14ddd746ac8
+  manual-document-mt-safety-argp.patch: 091e1e16a3a7c50d382e0f9eee36d6d04bcd441a
+  manual-document-mt-safety-arith.patch: 6dfda39adb1d84728fb4d392927fe32c70717f8c
+  manual-document-mt-safety-charset.patch: b58ef1fd4f0b6a89317ebce875a8c6217da8e8fa
+  manual-document-mt-safety-conf.patch: c7e8ed57d8a8ef0461deb3bb02e64e7c3c3606c1
+  manual-document-mt-safety-crypt.patch: 9a99d1deaa001ca289c66c3832e5eaf4bee898b4
+  manual-document-mt-safety-ctype.patch: 6bef7c9b865d9b4002167b45edfc3e8d74063fcf
+  manual-document-mt-safety-debug.patch: 0b2dd076556329cdfefbe5adf3c6ea16167fe17b
+  manual-document-mt-safety-errno.patch: d03f2590278bbe0c5b64d2727c6a88103e1174c6
+  manual-document-mt-safety-filesys.patch: cd6798f9231759db9a66272f1e721010946710b4
+  manual-document-mt-safety-getopt.patch: 5acd0cba09b1c0411d3c0ff44ebad682781cdea4
+  manual-document-mt-safety-libdl.patch: a6dbb793abff10ea3a8779b118e43cd27d02cd33
+  manual-document-mt-safety-job.patch: 1302198bf7ea242f1be035891c34507df7fa27e7
+  manual-document-mt-safety-lang.patch: df244861d2cc8225a441c53b523f53150727ae62
+  manual-document-mt-safety-llio.patch: bf5c49825fd31327a529399b2400a6e592bbee3a
+  manual-document-mt-safety-stdio.patch: 8d679074193b580e3ea1b810b03b6c976a47f9cd
+  wip-manual-document-mt-safety-locale.patch: 0c975e33c4db3c285d4144bd8fa8ab684c8b500a
+  wip-manual-document-mt-safety-math.patch: 0ded06d761bd842d9d7f6ab9473b5af3789e20e2
+  wip-manual-document-mt-safety-startup.patch: 93ca5fa817ae6dc3d50a6990be8ae64d8b398e83
+  wip-manual-document-mt-safety-search.patch: 2f91898f8002f8d61d9aad3c436468301513d49e
+  wip-manual-document-mt-safety-resource.patch: 56296c84c59e84bc5a577f60252a3bca4e57944d
+  wip-manual-document-mt-safety-string.patch: b16c3cb1e8fe3228f39d484598829d52e8b9ac43
+  wip-manual-document-mt-safety-terminal.patch: cfab792fb4bc046f3274734d629c29d86856ef28
+  wip-manual-document-mt-safety-threads.patch: 97ee1ff6ce212b9a9a750393c65224d306fb2ddd
+  wip-manual-document-mt-safety-time.patch: c759555d9d5560131f6dc67be34fa2ae51f54c4f
 Unapplied:
 Hidden:
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
deleted file mode 100644
index f6f9132..0000000
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Bottom: 1049e70d3641bba6f9f04cf81836dfef2917e3b3
-Top:    1049e70d3641bba6f9f04cf81836dfef2917e3b3
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-17 01:25:03 -0300
-
-Note that powerpc fpu emulation status is not thread- or signal-safe.
-
-for  ports/ChangeLog.powerpc
-
-	PR 15483
-	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
-	the need for thread-specific variables preserved across signal
-	handlers.
-	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
-	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.
-
-
----
-
-

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4e51ca6a99c605099f12a779df0d47cceeb4ae4f

commit 4e51ca6a99c605099f12a779df0d47cceeb4ae4f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:04 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..c3142ad 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,434 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{oncesafe}
+@cindex oncesafe
+
+Functions marked with @code{oncesafe} use the internal @code{libc_once}
+machinery to initialize internal data structures.
+
+If a signal handler interrupts such an initializer, and calls any
+function that also performs @code{libc_once} initialization, it will
+deadlock if the thread library is linked in.
+
+Furthermore, if an initializer is partially complete before it is
+canceled or interrupted by a signal whose handler requires the same
+initialization, some or all of the initialization may be performed more
+than once, leaking resources or even result in corrupt internal data
+structures.
+
+Applications that need to call functions marked with @code{oncesafe}
+should ensure the initialization is performed before configuring signal
+handlers or enabling cancellation, so that the AS- and AC-Safety issues
+related with @code{libc_once} do not arise.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards that could guarantee consistency.  To
+ensure MT- and AS-Safe behavior, callers must ensure that the objects
+passed in are not modified concurrently by other threads or signal
+handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+properties we documented are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cfd5bbe11be81bd19bd894478f09f14ddd746ac8

commit cfd5bbe11be81bd19bd894478f09f14ddd746ac8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:04 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..d183e12 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,412 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards that could guarantee consistency.  To
+ensure MT- and AS-Safe behavior, callers must ensure that the objects
+passed in are not modified concurrently by other threads or signal
+handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+properties we documented are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3f6a86b4b41552229bec8e2e30c2f20b6e0cefa4

commit 3f6a86b4b41552229bec8e2e30c2f20b6e0cefa4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..5667af3 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,12 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Besides the usual possibility of getting an inconsistent stream in a
+@c signal handler or leaving it inconsistent in case of cancellation,
+@c the possibility of leaving a dangling pointer upon cancellation
+@c between reallocing the buffer at *lineptr and updating the pointer
+@c brings about another case of incansist.
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1321,8 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c See the getline incansist note.
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1347,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1371,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1397,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1407,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1417,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1508,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1546,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1605,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1621,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1631,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1641,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2383,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2393,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2403,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2411,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2419,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2444,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2469,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2540,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2573,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2644,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2653,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2662,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2711,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2719,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2727,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2735,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2743,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2751,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2827,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3068,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3320,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3384,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +4001,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4016,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4031,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4039,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4047,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4061,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4088,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4097,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4106,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4114,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4122,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4130,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4180,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4190,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4204,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4215,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4243,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4254,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4368,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4381,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4405,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4421,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4441,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4465,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4514,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4636,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4651,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4664,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4681,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4793,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4806,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4823,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4845,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4870,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4948,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4962,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4974,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4989,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +5003,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5014,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5062,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5118,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5234,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5416,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5557,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8d679074193b580e3ea1b810b03b6c976a47f9cd

commit 8d679074193b580e3ea1b810b03b6c976a47f9cd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c759555d9d5560131f6dc67be34fa2ae51f54c4f

commit c759555d9d5560131f6dc67be34fa2ae51f54c4f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fe6a5807692b034fba404bbe03d68929933eb91f

commit fe6a5807692b034fba404bbe03d68929933eb91f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:04 2013 -0300

    Remove unused sysdeps/ieee754/support.c.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c: Remove.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
deleted file mode 100644
index 0bbd892..0000000
--- a/sysdeps/ieee754/support.c
+++ /dev/null
@@ -1,520 +0,0 @@
-/*
- * Copyright (c) 1985, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
-#endif /* not lint */
-
-/*
- * Some IEEE standard 754 recommended functions and remainder and sqrt for
- * supporting the C elementary functions.
- ******************************************************************************
- * WARNING:
- *      These codes are developed (in double) to support the C elementary
- * functions temporarily. They are not universal, and some of them are very
- * slow (in particular, drem and sqrt is extremely inefficient). Each
- * computer system should have its implementation of these functions using
- * its own assembler.
- ******************************************************************************
- *
- * IEEE 754 required operations:
- *     drem(x,p)
- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
- *              nearest x/y; in half way case, choose the even one.
- *     sqrt(x)
- *              returns the square root of x correctly rounded according to
- *		the rounding mod.
- *
- * IEEE 754 recommended functions:
- * (a) copysign(x,y)
- *              returns x with the sign of y.
- * (b) scalb(x,N)
- *              returns  x * (2**N), for integer values N.
- * (c) logb(x)
- *              returns the unbiased exponent of x, a signed integer in
- *              double precision, except that logb(0) is -INF, logb(INF)
- *              is +INF, and logb(NAN) is that NAN.
- * (d) finite(x)
- *              returns the value TRUE if -INF < x < +INF and returns
- *              FALSE otherwise.
- *
- *
- * CODED IN C BY K.C. NG, 11/25/84;
- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
- */
-
-#include "mathimpl.h"
-
-#if defined(vax)||defined(tahoe)      /* VAX D format */
-#include <errno.h>
-    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
-    static const short  prep1=57, gap=7, bias=129           ;
-    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
-#else	/* defined(vax)||defined(tahoe) */
-    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
-    static const short prep1=54, gap=4, bias=1023           ;
-    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
-#endif	/* defined(vax)||defined(tahoe) */
-
-double scalbn(x,N)
-double x; int N;
-{
-        int k;
-
-#ifdef national
-        unsigned short *px=(unsigned short *) &x + 3;
-#else	/* national */
-        unsigned short *px=(unsigned short *) &x;
-#endif	/* national */
-
-        if( x == zero )  return(x);
-
-#if defined(vax)||defined(tahoe)
-        if( (k= *px & mexp ) != ~msign ) {
-            if (N < -260)
-		return(nunf*nunf);
-	    else if (N > 260) {
-		return(copysign(infnan(ERANGE),x));
-	    }
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp ) {
-            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
-            if( k == 0 ) {
-                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
-#endif	/* defined(vax)||defined(tahoe) */
-
-            if((k = (k>>gap)+ N) > 0 )
-                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
-                else x=novf+novf;               /* overflow */
-            else
-                if( k > -prep1 )
-                                        /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
-                else
-                return(nunf*nunf);
-            }
-        return(x);
-}
-
-
-double copysign(x,y)
-double x,y;
-{
-#ifdef national
-        unsigned short  *px=(unsigned short *) &x+3,
-                        *py=(unsigned short *) &y+3;
-#else	/* national */
-        unsigned short  *px=(unsigned short *) &x,
-                        *py=(unsigned short *) &y;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        if ( (*px & mexp) == 0 ) return(x);
-#endif	/* defined(vax)||defined(tahoe) */
-
-        *px = ( *px & msign ) | ( *py & ~msign );
-        return(x);
-}
-
-double logb(x)
-double x;
-{
-
-#ifdef national
-        short *px=(short *) &x+3, k;
-#else	/* national */
-        short *px=(short *) &x, k;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        return (int)(((*px&mexp)>>gap)-bias);
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp )
-            if ( k != 0 )
-                return ( (k>>gap) - bias );
-            else if( x != zero)
-                return ( -1022.0 );
-            else
-                return(-(1.0/zero));
-        else if(x != x)
-            return(x);
-        else
-            {*px &= msign; return(x);}
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-finite(x)
-double x;
-{
-#if defined(vax)||defined(tahoe)
-        return(1);
-#else	/* defined(vax)||defined(tahoe) */
-#ifdef national
-        return( (*((short *) &x+3 ) & mexp ) != mexp );
-#else	/* national */
-        return( (*((short *) &x ) & mexp ) != mexp );
-#endif	/* national */
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-double drem(x,p)
-double x,p;
-{
-        short sign;
-        double hp,dp,tmp;
-        unsigned short  k;
-#ifdef national
-        unsigned short
-              *px=(unsigned short *) &x  +3,
-              *pp=(unsigned short *) &p  +3,
-              *pd=(unsigned short *) &dp +3,
-              *pt=(unsigned short *) &tmp+3;
-#else	/* national */
-        unsigned short
-              *px=(unsigned short *) &x  ,
-              *pp=(unsigned short *) &p  ,
-              *pd=(unsigned short *) &dp ,
-              *pt=(unsigned short *) &tmp;
-#endif	/* national */
-
-        *pp &= msign ;
-
-#if defined(vax)||defined(tahoe)
-        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *px & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		return  (x-p)-(x-p);	/* create nan if x is inf */
-	if (p == zero) {
-#if defined(vax)||defined(tahoe)
-		return(infnan(EDOM));
-#else	/* defined(vax)||defined(tahoe) */
-		return zero/zero;
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-#if defined(vax)||defined(tahoe)
-        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *pp & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		{ if (p != p) return p; else return x;}
-
-        else  if ( ((*pp & mexp)>>gap) <= 1 )
-                /* subnormal p, or almost subnormal p */
-            { double b; b=scalbn(1.0,(int)prep1);
-              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
-        else  if ( p >= novf/2)
-            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
-        else
-            {
-                dp=p+p; hp=p/2;
-                sign= *px & ~msign ;
-                *px &= msign       ;
-                while ( x > dp )
-                    {
-                        k=(*px & mexp) - (*pd & mexp) ;
-                        tmp = dp ;
-                        *pt += k ;
-
-#if defined(vax)||defined(tahoe)
-                        if( x < tmp ) *pt -= 128 ;
-#else	/* defined(vax)||defined(tahoe) */
-                        if( x < tmp ) *pt -= 16 ;
-#endif	/* defined(vax)||defined(tahoe) */
-
-                        x -= tmp ;
-                    }
-                if ( x > hp )
-                    { x -= p ;  if ( x >= hp ) x -= p ; }
-
-#if defined(vax)||defined(tahoe)
-		if (x)
-#endif	/* defined(vax)||defined(tahoe) */
-			*px ^= sign;
-                return( x);
-
-            }
-}
-
-
-double sqrt(x)
-double x;
-{
-        double q,s,b,r;
-        double t;
-	double const zero=0.0;
-        int m,n,i;
-#if defined(vax)||defined(tahoe)
-        int k=54;
-#else	/* defined(vax)||defined(tahoe) */
-        int k=51;
-#endif	/* defined(vax)||defined(tahoe) */
-
-    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-        if(x!=x||x==zero) return(x);
-
-    /* sqrt(negative) is invalid */
-        if(x<zero) {
-#if defined(vax)||defined(tahoe)
-		return (infnan(EDOM));	/* NaN */
-#else	/* defined(vax)||defined(tahoe) */
-		return(zero/zero);
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-    /* sqrt(INF) is INF */
-        if(!finite(x)) return(x);
-
-    /* scale x to [1,4) */
-        n=logb(x);
-        x=scalbn(x,-n);
-        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
-        m += n;
-        n = m/2;
-        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
-
-    /* generate sqrt(x) bit by bit (accumulating in q) */
-            q=1.0; s=4.0; x -= 1.0; r=1;
-            for(i=1;i<=k;i++) {
-                t=s+1; x *= 4; r /= 2;
-                if(t<=x) {
-                    s=t+t+2, x -= t; q += r;}
-                else
-                    s *= 2;
-                }
-
-    /* generate the last bit and determine the final rounding */
-            r/=2; x *= 4;
-            if(x==zero) goto end; 100+r; /* trigger inexact flag */
-            if(s<x) {
-                q+=r; x -=s; s += 2; s *= 2; x *= 4;
-                t = (x-s)-5;
-                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
-                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
-                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
-            else {
-                s *= 2; x *= 4;
-                t = (x-s)-1;
-                b=1.0+3*r/4; if(b==1.0) goto end;
-                b=1.0+r/4;   if(b>1.0) t=1;
-                if(t>=0) q+=r; }
-
-end:        return(scalbn(q,n));
-}
-
-#if 0
-/* DREM(X,Y)
- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
- * INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions (not on a VAX):
- *     swapINX(i): save inexact flag and reset it to "i"
- *     swapENI(e): save inexact enable and reset it to "e"
- */
-
-double drem(x,y)
-double x,y;
-{
-
-#ifdef national		/* order of words in floating point number */
-	static const n0=3,n1=2,n2=1,n3=0;
-#else /* VAX, SUN, ZILOG, TAHOE */
-	static const n0=0,n1=1,n2=2,n3=3;
-#endif
-
-	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
-	static const double zero=0.0;
-	double hy,y1,t,t1;
-	short k;
-	long n;
-	int i,e;
-	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
-			nx,nf,	  *py  =(unsigned short *) &y  ,
-			sign,	  *pt  =(unsigned short *) &t  ,
-				  *pt1 =(unsigned short *) &t1 ;
-
-	xexp = px[n0] & mexp ;	/* exponent of x */
-	yexp = py[n0] & mexp ;	/* exponent of y */
-	sign = px[n0] &0x8000;	/* sign of x     */
-
-/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
-	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
-	if( xexp == mexp )   return(zero/zero);      /* x is INF */
-	if(y==zero) return(y/y);
-
-/* save the inexact flag and inexact enable in i and e respectively
- * and reset them to zero
- */
-	i=swapINX(0);	e=swapENI(0);
-
-/* subnormal number */
-	nx=0;
-	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
-
-/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
-	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
-
-	nf=nx;
-	py[n0] &= 0x7fff;
-	px[n0] &= 0x7fff;
-
-/* mask off the least significant 27 bits of y */
-	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
-
-/* LOOP: argument reduction on x whenever x > y */
-loop:
-	while ( x > y )
-	{
-	    t=y;
-	    t1=y1;
-	    xexp=px[n0]&mexp;	  /* exponent of x */
-	    k=xexp-yexp-m25;
-	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
-		{pt[n0]+=k;pt1[n0]+=k;}
-	    n=x/t; x=(x-n*t1)-n*(t-t1);
-	}
-    /* end while (x > y) */
-
-	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
-
-/* final adjustment */
-
-	hy=y/2.0;
-	if(x>hy||((x==hy)&&n%2==1)) x-=y;
-	px[n0] ^= sign;
-	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
-
-/* restore inexact flag and inexact enable */
-	swapINX(i); swapENI(e);
-
-	return(x);
-}
-#endif
-
-#if 0
-/* SQRT
- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/22/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions:
- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
- */
-
-static const unsigned long table[] = {
-0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
-58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
-21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
-
-double newsqrt(x)
-double x;
-{
-        double y,z,t,addc(),subc()
-	double const b54=134217728.*134217728.; /* b54=2**54 */
-        long mx,scalx;
-	long const mexp=0x7ff00000;
-        int i,j,r,e,swapINX(),swapRM(),swapENI();
-        unsigned long *py=(unsigned long *) &y   ,
-                      *pt=(unsigned long *) &t   ,
-                      *px=(unsigned long *) &x   ;
-#ifdef national         /* ordering of word in a floating point number */
-        const int n0=1, n1=0;
-#else
-        const int n0=0, n1=1;
-#endif
-/* Rounding Mode:  RN ...round-to-nearest
- *                 RZ ...round-towards 0
- *                 RP ...round-towards +INF
- *		   RM ...round-towards -INF
- */
-        const int RN=0,RZ=1,RP=2,RM=3;
-				/* machine dependent: work on a Zilog Z8070
-                                 * and a National 32081 & 16081
-                                 */
-
-/* exceptions */
-	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
-        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
-
-/* save, reset, initialize */
-        e=swapENI(0);   /* ...save and reset the inexact enable */
-        i=swapINX(0);   /* ...save INEXACT flag */
-        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
-        scalx=0;
-
-/* subnormal number, scale up x to x*2**54 */
-        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
-
-/* scale x to avoid intermediate over/underflow:
- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
-        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
-        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
-
-/* magic initial approximation to almost 8 sig. bits */
-        py[n0]=(px[n0]>>1)+0x1ff80000;
-        py[n0]=py[n0]-table[(py[n0]>>15)&31];
-
-/* Heron's rule once with correction to improve y to almost 18 sig. bits */
-        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
-
-/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
-        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
-        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
-
-/* twiddle last bit to force y correctly rounded */
-        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
-        swapINX(0);     /* ...clear INEXACT flag */
-        swapENI(e);     /* ...restore inexact enable status */
-        t=x/y;          /* ...chopped quotient, possibly inexact */
-        j=swapINX(i);   /* ...read and restore inexact flag */
-        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
-        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
-        if(r==RN) t=addc(t);            /* ...t=t+ulp */
-        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
-        y=y+t;                          /* ...chopped sum */
-        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
-end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
-        swapRM(r);                      /* ...restore Rounding Mode */
-        return(y);
-}
-#endif

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bf5c49825fd31327a529399b2400a6e592bbee3a

commit bf5c49825fd31327a529399b2400a6e592bbee3a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..c350585 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,6 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
@@ -1089,6 +1122,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1187,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1307,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1326,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1353,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1401,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1450,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1577,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1585,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1597,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1609,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1622,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1728,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1744,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1782,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1984,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2201,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2220,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2287,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2309,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2398,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2427,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2449,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2463,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2487,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2516,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2566,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2593,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2634,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2662,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2719,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2775,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2811,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2894,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2903,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3882,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3902,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=97ee1ff6ce212b9a9a750393c65224d306fb2ddd

commit 97ee1ff6ce212b9a9a750393c65224d306fb2ddd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7

commit 05db560ffbca9d70d3f8cb8275b5f82ebd0a1fa7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:03 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=df244861d2cc8225a441c53b523f53150727ae62

commit df244861d2cc8225a441c53b523f53150727ae62
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cfab792fb4bc046f3274734d629c29d86856ef28

commit cfab792fb4bc046f3274734d629c29d86856ef28
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1302198bf7ea242f1be035891c34507df7fa27e7

commit 1302198bf7ea242f1be035891c34507df7fa27e7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..2c46771 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,6 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
@@ -1134,6 +1145,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1154,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1164,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1188,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1227,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1251,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1281,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1322,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b16c3cb1e8fe3228f39d484598829d52e8b9ac43

commit b16c3cb1e8fe3228f39d484598829d52e8b9ac43
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a6dbb793abff10ea3a8779b118e43cd27d02cd33

commit a6dbb793abff10ea3a8779b118e43cd27d02cd33
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=56296c84c59e84bc5a577f60252a3bca4e57944d

commit 56296c84c59e84bc5a577f60252a3bca4e57944d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5acd0cba09b1c0411d3c0ff44ebad682781cdea4

commit 5acd0cba09b1c0411d3c0ff44ebad682781cdea4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2f91898f8002f8d61d9aad3c436468301513d49e

commit 2f91898f8002f8d61d9aad3c436468301513d49e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cd6798f9231759db9a66272f1e721010946710b4

commit cd6798f9231759db9a66272f1e721010946710b4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 814c210..c7eb13b 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the
 file.  This structure is associated with the @var{dirstream} handle
@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is a version of @code{readdir} which performs internal
 locking.  Like @code{readdir} it returns the next entry from the
 directory.  To prevent conflicts between simultaneously running
@@ -549,6 +591,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -630,6 +683,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -649,6 +706,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -679,6 +749,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -913,6 +993,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1223,6 +1320,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1282,6 +1380,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1323,6 +1423,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1404,6 +1507,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1908,6 +2020,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1942,6 +2056,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1969,6 +2091,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -2007,12 +2132,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -2020,6 +2147,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -2027,12 +2155,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2765,6 +2907,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2830,6 +2979,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2846,6 +2998,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3225,6 +3413,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat (there's a commented-out safety assessment for this one)
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=93ca5fa817ae6dc3d50a6990be8ae64d8b398e83

commit 93ca5fa817ae6dc3d50a6990be8ae64d8b398e83
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d03f2590278bbe0c5b64d2727c6a88103e1174c6

commit d03f2590278bbe0c5b64d2727c6a88103e1174c6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0ded06d761bd842d9d7f6ab9473b5af3789e20e2

commit 0ded06d761bd842d9d7f6ab9473b5af3789e20e2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0b2dd076556329cdfefbe5adf3c6ea16167fe17b

commit 0b2dd076556329cdfefbe5adf3c6ea16167fe17b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0c975e33c4db3c285d4144bd8fa8ab684c8b500a

commit 0c975e33c4db3c285d4144bd8fa8ab684c8b500a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6bef7c9b865d9b4002167b45edfc3e8d74063fcf

commit 6bef7c9b865d9b4002167b45edfc3e8d74063fcf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9a99d1deaa001ca289c66c3832e5eaf4bee898b4

commit 9a99d1deaa001ca289c66c3832e5eaf4bee898b4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..a3c8fa5 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,6 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
@@ -127,6 +134,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +202,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +250,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +266,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +281,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +300,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +382,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +409,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c7e8ed57d8a8ef0461deb3bb02e64e7c3c3606c1

commit c7e8ed57d8a8ef0461deb3bb02e64e7c3c3606c1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index c720063..79bfcdb 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1348,6 +1359,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1375,6 +1391,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1624,6 +1642,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b58ef1fd4f0b6a89317ebce875a8c6217da8e8fa

commit b58ef1fd4f0b6a89317ebce875a8c6217da8e8fa
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6dfda39adb1d84728fb4d392927fe32c70717f8c

commit 6dfda39adb1d84728fb4d392927fe32c70717f8c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..c0cd350 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=091e1e16a3a7c50d382e0f9eee36d6d04bcd441a

commit 091e1e16a3a7c50d382e0f9eee36d6d04bcd441a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:04 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..22e7b9e 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=aa465b0085f4d4bc6523c446f7ce6870227c8992

commit aa465b0085f4d4bc6523c446f7ce6870227c8992
Merge: 0e4688e 25a9ae1 84b2959
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:11 2013 -0300

    pull


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0e4688e6cf1ac6e25b4ce9bf7efd38631c30562c

commit 0e4688e6cf1ac6e25b4ce9bf7efd38631c30562c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:11 2013 -0300

    pull

diff --git a/meta b/meta
index 73cfd6c..941fdda 100644
--- a/meta
+++ b/meta
@@ -1,34 +1,34 @@
 Version: 1
-Previous: 40bbc25610275afafd89540b32d05e827517453f
-Head: 3f154dc87b1520a90a6a60ee3f64313f37cbe6af
+Previous: 84b2959a1ba1806e2e666a90f9c9442950056937
+Head: 25a9ae1821970d7d17f86df0dbd323fe7776461b
 Applied:
-  powerpc-nofpu-sim-note-nothread.patch: 696f6dab87abef96e7993fda3f143bbdeb1f34e8
-  unused-scalb-is-scalbn.patch: 8e4917e9cf19e11865e8257a23808022f8661b79
-  remove-sysdeps-ieee754-support.patch: a695677bd128bab38d17152a529deb639c38a9cc
-  manual-document-mt-safety.patch: 68be24a2fdb555f49822dadce0e7a9dcce313fef
-  manual-document-mt-safety-argp.patch: 3140ac4a6f81a1c3771e446d1b992366ac25c1fd
-  manual-document-mt-safety-arith.patch: 26f6a615ed5791824c49a73f2c3f2363a1068a67
-  manual-document-mt-safety-charset.patch: 0df07b4fc684fb54e4439dc6d2c3dbbe1bfebcc1
-  manual-document-mt-safety-conf.patch: d07742aef69215a1f5e40b91d1ce62d2bd0f3436
-  manual-document-mt-safety-crypt.patch: 9612e68916ea2d715e826de3ea1e63449b56113a
-  manual-document-mt-safety-ctype.patch: f9c7c5a3a45afe0537eac97659a8035fcd353755
-  manual-document-mt-safety-debug.patch: 93d4600a981245726112f8653ae093789c5781bc
-  manual-document-mt-safety-errno.patch: 1de4023eaef09c4f66ee8cda9af72299102a6a11
-  manual-document-mt-safety-filesys.patch: 20cfc6cc280a99c7c5c322f9017a835c88940e9d
-  manual-document-mt-safety-getopt.patch: 9f6db34fbf2abae189d89ed0c55f39e8b6e1567d
-  manual-document-mt-safety-libdl.patch: c36ed4e31f0b32016ac4ff66c3f78b796cc60c4d
-  manual-document-mt-safety-job.patch: 5f947de962b5bc8635e43505a3e620452207d5e9
-  manual-document-mt-safety-lang.patch: 0bb0d49f0ce8515d039525a62babee3ee8041467
-  manual-document-mt-safety-llio.patch: d2d0d5547508d14d2b0f8f184b0cb6567a5f3b3b
-  manual-document-mt-safety-stdio.patch: 657da16d7c4dc73ea2a34ee6bfb0443c4f673a5e
-  wip-manual-document-mt-safety-locale.patch: fa0471dff7f451bafb03203df03f3ed569ae49bf
-  wip-manual-document-mt-safety-math.patch: 76f2d203176f382ef78fc4fe0489bdafb8f8a7e0
-  wip-manual-document-mt-safety-startup.patch: a79bade490b89767d07e59d0f983ca57e360c013
-  wip-manual-document-mt-safety-search.patch: 644f9527c94cba4151e00bc4c4f48b06eb1b6181
-  wip-manual-document-mt-safety-resource.patch: a71b7807900481c356bb648d1c572b7d8e50a9c2
-  wip-manual-document-mt-safety-string.patch: c72458cec4f9e82364a18bd1b2fce9e3ad5b7d0a
-  wip-manual-document-mt-safety-terminal.patch: 26939672f6abb9771a3c6832b6751de75dfd10ae
-  wip-manual-document-mt-safety-threads.patch: ffddbd41d3291cd5b098dde10f2e5253124b8813
-  wip-manual-document-mt-safety-time.patch: 3f154dc87b1520a90a6a60ee3f64313f37cbe6af
+  powerpc-nofpu-sim-note-nothread.patch: 525ab96dd43fa6cf5d4f972271afec8d0c64c034
+  unused-scalb-is-scalbn.patch: 3c6c7a24be0a9b65939e04e9200cffa361848c4b
+  remove-sysdeps-ieee754-support.patch: 7b1263abc965a873a51d0f7b02987d8e3d6cf471
+  manual-document-mt-safety.patch: caa55786752ded57d80b3809700b9e5183af21ae
+  manual-document-mt-safety-argp.patch: 017da8adde97bccd79ab19b6d1175cfc9412a565
+  manual-document-mt-safety-arith.patch: c6564bb231120b06f93702c9956c90a57546222e
+  manual-document-mt-safety-charset.patch: 07dd04c5b4a440663c1751a1f38b09b33ab7f8af
+  manual-document-mt-safety-conf.patch: 134d875cb9e454a8243ac2ca8d0bd3d42f0252dc
+  manual-document-mt-safety-crypt.patch: 2069aec79bc11c99cf3e664d9042d76a7118bb88
+  manual-document-mt-safety-ctype.patch: 9945d2535a48b19f85206a5f18b4b15153af2597
+  manual-document-mt-safety-debug.patch: 7d2a9a7113f6aa3b14c1d75181c57c699cb3ccd1
+  manual-document-mt-safety-errno.patch: d9f4ac37690ac779579d891dd9ac2ea37b14a531
+  manual-document-mt-safety-filesys.patch: 392b19a1b6f9dc1268555fd513182d9ddc27977b
+  manual-document-mt-safety-getopt.patch: 5c951f02d9782d9ce3468def9b0a29015d11b31c
+  manual-document-mt-safety-libdl.patch: 695e13261917a34ed17d39bf7c68f612aeb53cab
+  manual-document-mt-safety-job.patch: 065671cbe43b4e8324ec30134b735b72b0a27a7d
+  manual-document-mt-safety-lang.patch: 16740ea74dca049974ec07baa32d1cd26c4642a9
+  manual-document-mt-safety-llio.patch: 184090294f40be1dea2c49ae667629f5513f2c25
+  manual-document-mt-safety-stdio.patch: 7b0a54addcada9b13059cdb0d03cf3fe0412f16d
+  wip-manual-document-mt-safety-locale.patch: 7555b069c35687dd895740205bfdf2241db9c6f3
+  wip-manual-document-mt-safety-math.patch: 1b4a6693b25118e662810d8480caa5189fdae82b
+  wip-manual-document-mt-safety-startup.patch: 4ca19b6ad7173d7b6694a135af31417639b5e2dc
+  wip-manual-document-mt-safety-search.patch: bfd482670800eebaa127193ef59428e7af3cfa1e
+  wip-manual-document-mt-safety-resource.patch: b46f5e4463116cb679a7e90d6fd7ea80e2a239db
+  wip-manual-document-mt-safety-string.patch: 5388cbb52e6f25c810d8c7c1e9d9cbb58945784e
+  wip-manual-document-mt-safety-terminal.patch: 1dbe8f76713dfcffe1af611cbe9a6054fed93484
+  wip-manual-document-mt-safety-threads.patch: 2e4662897991d33b3915b73cd23c5c140fd12c6e
+  wip-manual-document-mt-safety-time.patch: 25a9ae1821970d7d17f86df0dbd323fe7776461b
 Unapplied:
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 2d84eea..04e77a4 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,7 +1,7 @@
-Bottom: 9a965dda103f127bc6ee768c73f81465bb617ddc
-Top:    42073023177bd6d20e6b8df2090232d020997496
+Bottom: 9dc17c777e87d9e8550bcf18a685ec2e017a008c
+Top:    8fa20da58a327ce236a45260745f81ec87a5a28c
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:53 -0300
+Date:   2013-08-17 01:25:04 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 7910a8d..ad9a44a 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,7 +1,7 @@
-Bottom: 42073023177bd6d20e6b8df2090232d020997496
-Top:    50364dad6f3079f8f8364e094b81d4f279e17b9a
+Bottom: 8fa20da58a327ce236a45260745f81ec87a5a28c
+Top:    9e00847513aa8ca3dd870c7142c8ee63c1eea05f
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:53 -0300
+Date:   2013-08-17 01:25:05 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index 38ab65e..eb1d974 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,7 +1,7 @@
-Bottom: 50364dad6f3079f8f8364e094b81d4f279e17b9a
-Top:    2057130a7d71203b9a9f38120e917b098c480a6f
+Bottom: 9e00847513aa8ca3dd870c7142c8ee63c1eea05f
+Top:    25ef582a24250de1e2072a4015dacbfc5c2841bb
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:53 -0300
+Date:   2013-08-17 01:25:05 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index 4a2d7b5..a919d8b 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,7 +1,7 @@
-Bottom: 2057130a7d71203b9a9f38120e917b098c480a6f
-Top:    94804776420739d4e7851f76aae8683d669215d4
+Bottom: 25ef582a24250de1e2072a4015dacbfc5c2841bb
+Top:    b0eacdf8728c94a1f78c8f658a008efcaabcc9d2
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:53 -0300
+Date:   2013-08-17 01:25:05 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index a16a183..c361847 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,7 +1,7 @@
-Bottom: 94804776420739d4e7851f76aae8683d669215d4
-Top:    f5c503197dbf6356975447e7636e2dd3143a2989
+Bottom: b0eacdf8728c94a1f78c8f658a008efcaabcc9d2
+Top:    c0b0db21cd11bbf3316e8c83167e162e23ad5bfa
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:54 -0300
+Date:   2013-08-17 01:25:05 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index e6d4b14..3b2e49c 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,7 +1,7 @@
-Bottom: f5c503197dbf6356975447e7636e2dd3143a2989
-Top:    003a6157dc020fa72680ae4a6ca0b81297cad891
+Bottom: c0b0db21cd11bbf3316e8c83167e162e23ad5bfa
+Top:    1ac0ccdda2df342408b295e5121112bafddb3284
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:54 -0300
+Date:   2013-08-17 01:25:05 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index 952e178..5283b95 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,7 +1,7 @@
-Bottom: 003a6157dc020fa72680ae4a6ca0b81297cad891
-Top:    1bfb6d75e28a05d618536054d216af24c1d005eb
+Bottom: 1ac0ccdda2df342408b295e5121112bafddb3284
+Top:    dc9e760360eb18c8fb0f2184676b14e7bc2177c3
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:54 -0300
+Date:   2013-08-17 01:25:06 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index d209c0e..c0ca2ec 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,7 +1,7 @@
-Bottom: 1bfb6d75e28a05d618536054d216af24c1d005eb
-Top:    e7b3cec4e03306c8e81023c08b98e74a0faacbbe
+Bottom: dc9e760360eb18c8fb0f2184676b14e7bc2177c3
+Top:    6f36388aba0015568b6b2a4816dacc50146cb3fe
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:55 -0300
+Date:   2013-08-17 01:25:06 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 397230b..6769498 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,7 +1,7 @@
-Bottom: e7b3cec4e03306c8e81023c08b98e74a0faacbbe
-Top:    7fa654adb8d9082bddec3251021da106124844a9
+Bottom: 6f36388aba0015568b6b2a4816dacc50146cb3fe
+Top:    fde229599e21ef688d3e4b9f2339df8c55a7a992
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:55 -0300
+Date:   2013-08-17 01:25:06 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index 8e2d03d..cbc973f 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,7 +1,7 @@
-Bottom: 7fa654adb8d9082bddec3251021da106124844a9
-Top:    1b375656241ea5dc462b0293bea840893b4f359b
+Bottom: fde229599e21ef688d3e4b9f2339df8c55a7a992
+Top:    6d7e1278667b262f6475d7f0930713e0fcaf2164
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:06:36 -0300
+Date:   2013-08-17 01:25:06 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index 132b58d..78e372d 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,7 +1,7 @@
-Bottom: 3d94d1b2c3bcc092b3df348e4cb20a0cc767b53d
-Top:    2230f3ad68c0c728603008b7ef5a718ed6999f8a
+Bottom: 84a81eb5208d547308c0551a8daf7274f5f51893
+Top:    464934e3117acbbe947a28a984738c55ac1e7982
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:08:15 -0300
+Date:   2013-08-17 01:25:07 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 3958ddb..c3e1fa5 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,7 +1,7 @@
-Bottom: 2230f3ad68c0c728603008b7ef5a718ed6999f8a
-Top:    03db9c41a3d5843dd52386d18ea8d5ae4fbaa790
+Bottom: 464934e3117acbbe947a28a984738c55ac1e7982
+Top:    97ed577a7b5de423e0cbd73e6199c1d5d77a2db2
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:08:32 -0300
+Date:   2013-08-17 01:25:07 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index ba39838..45921f9 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,7 +1,7 @@
-Bottom: 1b375656241ea5dc462b0293bea840893b4f359b
-Top:    3d94d1b2c3bcc092b3df348e4cb20a0cc767b53d
+Bottom: 6d7e1278667b262f6475d7f0930713e0fcaf2164
+Top:    84a81eb5208d547308c0551a8daf7274f5f51893
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:08:59 -0300
+Date:   2013-08-17 01:25:07 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 6983a10..232d2b0 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,7 +1,7 @@
-Bottom: 03db9c41a3d5843dd52386d18ea8d5ae4fbaa790
-Top:    f3d45f3a5174c95fda4ca14c3895dea94162ab84
+Bottom: 97ed577a7b5de423e0cbd73e6199c1d5d77a2db2
+Top:    93d7801d18acd26c49da4772fbbaa130e15e8c35
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:09:32 -0300
+Date:   2013-08-17 01:25:07 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 75523e4..f0316b1 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,7 +1,7 @@
-Bottom: f3d45f3a5174c95fda4ca14c3895dea94162ab84
-Top:    871bd834ba505ea12044bc0802ca64d8ac8687bd
+Bottom: 93d7801d18acd26c49da4772fbbaa130e15e8c35
+Top:    e50028beb84ad6b675a13f914ea7f6020b0041fb
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:40 -0300
+Date:   2013-08-17 01:25:08 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index d425832..4c64009 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,7 +1,7 @@
-Bottom: 3e408a78cb48814b5d0267f4ac1660cd08e00d24
-Top:    9a965dda103f127bc6ee768c73f81465bb617ddc
+Bottom: 39cf8b6977e5b0eb658a937d498281477afa6821
+Top:    9dc17c777e87d9e8550bcf18a685ec2e017a008c
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:52 -0300
+Date:   2013-08-17 01:25:04 -0300
 
 Thread safety documentation.
 
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index 300c5fe..f6f9132 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,7 +1,7 @@
-Bottom: 268277f390b889cc857152d268242bd603036b9e
-Top:    16be1a6432db4b53f29115b9a137e0a9b5f72d63
+Bottom: 1049e70d3641bba6f9f04cf81836dfef2917e3b3
+Top:    1049e70d3641bba6f9f04cf81836dfef2917e3b3
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:51 -0300
+Date:   2013-08-17 01:25:03 -0300
 
 Note that powerpc fpu emulation status is not thread- or signal-safe.
 
@@ -17,51 +17,4 @@ for  ports/ChangeLog.powerpc
 
 ---
 
-diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
-index fc061d0..e167033 100644
---- a/ports/sysdeps/powerpc/nofpu/sim-full.c
-+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
-@@ -21,6 +21,11 @@
- #include "soft-fp.h"
- #include "soft-supp.h"
- 
-+/* FIXME: these variables should be thread specific (see bugzilla bug
-+   15483) and ideally preserved across signal handlers, like hardware
-+   FP status words, but the latter is quite difficult to accomplish in
-+   userland.  */
-+
- /* Global to store sticky exceptions.  */
- int __sim_exceptions __attribute__ ((nocommon));
- libc_hidden_data_def (__sim_exceptions);
-diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
-index b9638bb..64a3d2a 100644
---- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
-+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
-@@ -26,6 +26,11 @@ typedef union
- } fenv_union_t;
- 
- 
-+/* FIXME: these variables should be thread specific (see bugzilla bug
-+   15483) and ideally preserved across signal handlers, like hardware
-+   FP status words, but the latter is quite difficult to accomplish in
-+   userland.  */
-+
- extern int __sim_exceptions;
- libc_hidden_proto (__sim_exceptions);
- extern int __sim_disabled_exceptions;
-diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
-index c2a190e..508d869 100644
---- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
-+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
-@@ -54,6 +54,11 @@
- #define FP_ROUNDMODE          __sim_round_mode
- #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
- 
-+/* FIXME: these variables should be thread specific (see bugzilla bug
-+   15483) and ideally preserved across signal handlers, like hardware
-+   FP status words, but the latter is quite difficult to accomplish in
-+   userland.  */
-+
- extern int __sim_exceptions;
- libc_hidden_proto (__sim_exceptions);
- extern int __sim_disabled_exceptions;
+
diff --git a/patches/remove-sysdeps-ieee754-support.patch b/patches/remove-sysdeps-ieee754-support.patch
index 7a78a03..034bcd4 100644
--- a/patches/remove-sysdeps-ieee754-support.patch
+++ b/patches/remove-sysdeps-ieee754-support.patch
@@ -1,7 +1,7 @@
-Bottom: 411b24ed46994f8860e4a688d6846bba3af6a601
-Top:    3e408a78cb48814b5d0267f4ac1660cd08e00d24
+Bottom: d06b3f23c180fe174e52c5f9388baa61d6ac33cc
+Top:    39cf8b6977e5b0eb658a937d498281477afa6821
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:52 -0300
+Date:   2013-08-17 01:25:04 -0300
 
 Remove unused sysdeps/ieee754/support.c.
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 2b74aea..29447c9 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,7 +1,7 @@
-Bottom: 16be1a6432db4b53f29115b9a137e0a9b5f72d63
-Top:    411b24ed46994f8860e4a688d6846bba3af6a601
+Bottom: 1049e70d3641bba6f9f04cf81836dfef2917e3b3
+Top:    d06b3f23c180fe174e52c5f9388baa61d6ac33cc
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:52:51 -0300
+Date:   2013-08-17 01:25:03 -0300
 
 Rename unused scalb to scalbn to match prototype.
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index bad17dd..8156a4d 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,7 +1,7 @@
-Bottom: 871bd834ba505ea12044bc0802ca64d8ac8687bd
-Top:    7eb11a4a93285c6437a6a76fcfe3bdb4f7ab231e
+Bottom: e50028beb84ad6b675a13f914ea7f6020b0041fb
+Top:    478b5a9511d73300038688d295275adc008791fb
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:40 -0300
+Date:   2013-08-17 01:25:08 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 51ccaa8..cbdf2ce 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,7 +1,7 @@
-Bottom: 7eb11a4a93285c6437a6a76fcfe3bdb4f7ab231e
-Top:    3e2da94112b66d7d2a5c0302a59092c351a9beae
+Bottom: 478b5a9511d73300038688d295275adc008791fb
+Top:    c1f6d017ec3215a105705280d9d4e90b49cdb2fc
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:40 -0300
+Date:   2013-08-17 01:25:08 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 12c14b8..b4ba175 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,7 +1,7 @@
-Bottom: 40ef432615a0798e880ce4bf9d0fed695d2d1fe1
-Top:    f2c97e058bb7c8c3103a9dd012dcb253194148a9
+Bottom: feea6b866c2cad47f44d83b24583aeb2e3dc5922
+Top:    be3798257ab5eb1ffac51f5230137a50fabd0331
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:11:00 -0300
+Date:   2013-08-17 01:25:09 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 428a92c..eb03a10 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,7 +1,7 @@
-Bottom: 502f555c935f829fc23dd8f2986455c72b952a62
-Top:    40ef432615a0798e880ce4bf9d0fed695d2d1fe1
+Bottom: 30385e4571775728259c071ac811cf24231bbe2a
+Top:    feea6b866c2cad47f44d83b24583aeb2e3dc5922
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:11:55 -0300
+Date:   2013-08-17 01:25:09 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 75dc16a..57fda05 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,7 +1,7 @@
-Bottom: 3e2da94112b66d7d2a5c0302a59092c351a9beae
-Top:    502f555c935f829fc23dd8f2986455c72b952a62
+Bottom: c1f6d017ec3215a105705280d9d4e90b49cdb2fc
+Top:    30385e4571775728259c071ac811cf24231bbe2a
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:12:28 -0300
+Date:   2013-08-17 01:25:08 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index b1bd108..b13b758 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,7 +1,7 @@
-Bottom: f2c97e058bb7c8c3103a9dd012dcb253194148a9
-Top:    06607cc945da4dc1e66af3ac0e88c7e5809f2083
+Bottom: be3798257ab5eb1ffac51f5230137a50fabd0331
+Top:    4d99d3f848a2d2a8839afeb505c973845383e8bb
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:13:24 -0300
+Date:   2013-08-17 01:25:09 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 5ff28e9..5b29c79 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,7 +1,7 @@
-Bottom: 06607cc945da4dc1e66af3ac0e88c7e5809f2083
-Top:    e12f04c0e8731c53e3e401f09ae09dffeff3baf4
+Bottom: 4d99d3f848a2d2a8839afeb505c973845383e8bb
+Top:    47b6d76e85ffcec042abbf52e9b26155224ed476
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:13:53 -0300
+Date:   2013-08-17 01:25:09 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 53feaf3..c0d9e8f 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,7 +1,7 @@
-Bottom: e12f04c0e8731c53e3e401f09ae09dffeff3baf4
-Top:    c6a8bfa89bebdd2e843455e435782b1d9c2e6d4b
+Bottom: 47b6d76e85ffcec042abbf52e9b26155224ed476
+Top:    2282fda35139be6d25c267fb0f30abf6184f3b6d
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:14:35 -0300
+Date:   2013-08-17 01:25:10 -0300
 
 Thread safety documentation.
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 76700ea..fdb728f 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,7 +1,7 @@
-Bottom: c6a8bfa89bebdd2e843455e435782b1d9c2e6d4b
-Top:    7a82ed262dde6b6667a78cafef16ff35cc6f7086
+Bottom: 2282fda35139be6d25c267fb0f30abf6184f3b6d
+Top:    7003967eaf771392ad1c6c6f996ace42ab8190e3
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:14:50 -0300
+Date:   2013-08-17 01:25:10 -0300
 
 Thread safety documentation.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=25a9ae1821970d7d17f86df0dbd323fe7776461b

commit 25a9ae1821970d7d17f86df0dbd323fe7776461b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e4662897991d33b3915b73cd23c5c140fd12c6e

commit 2e4662897991d33b3915b73cd23c5c140fd12c6e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:10 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1dbe8f76713dfcffe1af611cbe9a6054fed93484

commit 1dbe8f76713dfcffe1af611cbe9a6054fed93484
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5388cbb52e6f25c810d8c7c1e9d9cbb58945784e

commit 5388cbb52e6f25c810d8c7c1e9d9cbb58945784e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b46f5e4463116cb679a7e90d6fd7ea80e2a239db

commit b46f5e4463116cb679a7e90d6fd7ea80e2a239db
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bfd482670800eebaa127193ef59428e7af3cfa1e

commit bfd482670800eebaa127193ef59428e7af3cfa1e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:09 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4ca19b6ad7173d7b6694a135af31417639b5e2dc

commit 4ca19b6ad7173d7b6694a135af31417639b5e2dc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1b4a6693b25118e662810d8480caa5189fdae82b

commit 1b4a6693b25118e662810d8480caa5189fdae82b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7555b069c35687dd895740205bfdf2241db9c6f3

commit 7555b069c35687dd895740205bfdf2241db9c6f3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7b0a54addcada9b13059cdb0d03cf3fe0412f16d

commit 7b0a54addcada9b13059cdb0d03cf3fe0412f16d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:08 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=184090294f40be1dea2c49ae667629f5513f2c25

commit 184090294f40be1dea2c49ae667629f5513f2c25
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..c350585 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,6 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
@@ -1089,6 +1122,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1187,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1307,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1326,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1353,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1401,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1450,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1577,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1585,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1597,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1609,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1622,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1728,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1744,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1782,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1984,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2201,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2220,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2287,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2309,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2398,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2427,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2449,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2463,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2487,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2516,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2566,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2593,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2634,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2662,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2719,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2775,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2811,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2894,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2903,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3882,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3902,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=16740ea74dca049974ec07baa32d1cd26c4642a9

commit 16740ea74dca049974ec07baa32d1cd26c4642a9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=065671cbe43b4e8324ec30134b735b72b0a27a7d

commit 065671cbe43b4e8324ec30134b735b72b0a27a7d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..2c46771 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,6 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
@@ -1134,6 +1145,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1154,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1164,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1188,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1227,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1251,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1281,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1322,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=695e13261917a34ed17d39bf7c68f612aeb53cab

commit 695e13261917a34ed17d39bf7c68f612aeb53cab
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:07 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5c951f02d9782d9ce3468def9b0a29015d11b31c

commit 5c951f02d9782d9ce3468def9b0a29015d11b31c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=392b19a1b6f9dc1268555fd513182d9ddc27977b

commit 392b19a1b6f9dc1268555fd513182d9ddc27977b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 814c210..c7eb13b 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the
 file.  This structure is associated with the @var{dirstream} handle
@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is a version of @code{readdir} which performs internal
 locking.  Like @code{readdir} it returns the next entry from the
 directory.  To prevent conflicts between simultaneously running
@@ -549,6 +591,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -630,6 +683,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -649,6 +706,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -679,6 +749,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -913,6 +993,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1223,6 +1320,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1282,6 +1380,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1323,6 +1423,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1404,6 +1507,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1908,6 +2020,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1942,6 +2056,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1969,6 +2091,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -2007,12 +2132,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -2020,6 +2147,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -2027,12 +2155,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2765,6 +2907,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2830,6 +2979,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2846,6 +2998,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3225,6 +3413,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat (there's a commented-out safety assessment for this one)
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d9f4ac37690ac779579d891dd9ac2ea37b14a531

commit d9f4ac37690ac779579d891dd9ac2ea37b14a531
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7d2a9a7113f6aa3b14c1d75181c57c699cb3ccd1

commit 7d2a9a7113f6aa3b14c1d75181c57c699cb3ccd1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:06 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9945d2535a48b19f85206a5f18b4b15153af2597

commit 9945d2535a48b19f85206a5f18b4b15153af2597
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2069aec79bc11c99cf3e664d9042d76a7118bb88

commit 2069aec79bc11c99cf3e664d9042d76a7118bb88
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..a3c8fa5 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,6 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
@@ -127,6 +134,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +202,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +250,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +266,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +281,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +300,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +382,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +409,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=134d875cb9e454a8243ac2ca8d0bd3d42f0252dc

commit 134d875cb9e454a8243ac2ca8d0bd3d42f0252dc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index c720063..79bfcdb 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1348,6 +1359,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1375,6 +1391,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1624,6 +1642,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=07dd04c5b4a440663c1751a1f38b09b33ab7f8af

commit 07dd04c5b4a440663c1751a1f38b09b33ab7f8af
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c6564bb231120b06f93702c9956c90a57546222e

commit c6564bb231120b06f93702c9956c90a57546222e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:05 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..c0cd350 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=017da8adde97bccd79ab19b6d1175cfc9412a565

commit 017da8adde97bccd79ab19b6d1175cfc9412a565
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:04 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..22e7b9e 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=caa55786752ded57d80b3809700b9e5183af21ae

commit caa55786752ded57d80b3809700b9e5183af21ae
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:04 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..d183e12 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,412 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards that could guarantee consistency.  To
+ensure MT- and AS-Safe behavior, callers must ensure that the objects
+passed in are not modified concurrently by other threads or signal
+handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+properties we documented are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7b1263abc965a873a51d0f7b02987d8e3d6cf471

commit 7b1263abc965a873a51d0f7b02987d8e3d6cf471
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:04 2013 -0300

    Remove unused sysdeps/ieee754/support.c.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c: Remove.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
deleted file mode 100644
index 0bbd892..0000000
--- a/sysdeps/ieee754/support.c
+++ /dev/null
@@ -1,520 +0,0 @@
-/*
- * Copyright (c) 1985, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
-#endif /* not lint */
-
-/*
- * Some IEEE standard 754 recommended functions and remainder and sqrt for
- * supporting the C elementary functions.
- ******************************************************************************
- * WARNING:
- *      These codes are developed (in double) to support the C elementary
- * functions temporarily. They are not universal, and some of them are very
- * slow (in particular, drem and sqrt is extremely inefficient). Each
- * computer system should have its implementation of these functions using
- * its own assembler.
- ******************************************************************************
- *
- * IEEE 754 required operations:
- *     drem(x,p)
- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
- *              nearest x/y; in half way case, choose the even one.
- *     sqrt(x)
- *              returns the square root of x correctly rounded according to
- *		the rounding mod.
- *
- * IEEE 754 recommended functions:
- * (a) copysign(x,y)
- *              returns x with the sign of y.
- * (b) scalb(x,N)
- *              returns  x * (2**N), for integer values N.
- * (c) logb(x)
- *              returns the unbiased exponent of x, a signed integer in
- *              double precision, except that logb(0) is -INF, logb(INF)
- *              is +INF, and logb(NAN) is that NAN.
- * (d) finite(x)
- *              returns the value TRUE if -INF < x < +INF and returns
- *              FALSE otherwise.
- *
- *
- * CODED IN C BY K.C. NG, 11/25/84;
- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
- */
-
-#include "mathimpl.h"
-
-#if defined(vax)||defined(tahoe)      /* VAX D format */
-#include <errno.h>
-    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
-    static const short  prep1=57, gap=7, bias=129           ;
-    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
-#else	/* defined(vax)||defined(tahoe) */
-    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
-    static const short prep1=54, gap=4, bias=1023           ;
-    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
-#endif	/* defined(vax)||defined(tahoe) */
-
-double scalbn(x,N)
-double x; int N;
-{
-        int k;
-
-#ifdef national
-        unsigned short *px=(unsigned short *) &x + 3;
-#else	/* national */
-        unsigned short *px=(unsigned short *) &x;
-#endif	/* national */
-
-        if( x == zero )  return(x);
-
-#if defined(vax)||defined(tahoe)
-        if( (k= *px & mexp ) != ~msign ) {
-            if (N < -260)
-		return(nunf*nunf);
-	    else if (N > 260) {
-		return(copysign(infnan(ERANGE),x));
-	    }
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp ) {
-            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
-            if( k == 0 ) {
-                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
-#endif	/* defined(vax)||defined(tahoe) */
-
-            if((k = (k>>gap)+ N) > 0 )
-                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
-                else x=novf+novf;               /* overflow */
-            else
-                if( k > -prep1 )
-                                        /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
-                else
-                return(nunf*nunf);
-            }
-        return(x);
-}
-
-
-double copysign(x,y)
-double x,y;
-{
-#ifdef national
-        unsigned short  *px=(unsigned short *) &x+3,
-                        *py=(unsigned short *) &y+3;
-#else	/* national */
-        unsigned short  *px=(unsigned short *) &x,
-                        *py=(unsigned short *) &y;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        if ( (*px & mexp) == 0 ) return(x);
-#endif	/* defined(vax)||defined(tahoe) */
-
-        *px = ( *px & msign ) | ( *py & ~msign );
-        return(x);
-}
-
-double logb(x)
-double x;
-{
-
-#ifdef national
-        short *px=(short *) &x+3, k;
-#else	/* national */
-        short *px=(short *) &x, k;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        return (int)(((*px&mexp)>>gap)-bias);
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp )
-            if ( k != 0 )
-                return ( (k>>gap) - bias );
-            else if( x != zero)
-                return ( -1022.0 );
-            else
-                return(-(1.0/zero));
-        else if(x != x)
-            return(x);
-        else
-            {*px &= msign; return(x);}
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-finite(x)
-double x;
-{
-#if defined(vax)||defined(tahoe)
-        return(1);
-#else	/* defined(vax)||defined(tahoe) */
-#ifdef national
-        return( (*((short *) &x+3 ) & mexp ) != mexp );
-#else	/* national */
-        return( (*((short *) &x ) & mexp ) != mexp );
-#endif	/* national */
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-double drem(x,p)
-double x,p;
-{
-        short sign;
-        double hp,dp,tmp;
-        unsigned short  k;
-#ifdef national
-        unsigned short
-              *px=(unsigned short *) &x  +3,
-              *pp=(unsigned short *) &p  +3,
-              *pd=(unsigned short *) &dp +3,
-              *pt=(unsigned short *) &tmp+3;
-#else	/* national */
-        unsigned short
-              *px=(unsigned short *) &x  ,
-              *pp=(unsigned short *) &p  ,
-              *pd=(unsigned short *) &dp ,
-              *pt=(unsigned short *) &tmp;
-#endif	/* national */
-
-        *pp &= msign ;
-
-#if defined(vax)||defined(tahoe)
-        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *px & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		return  (x-p)-(x-p);	/* create nan if x is inf */
-	if (p == zero) {
-#if defined(vax)||defined(tahoe)
-		return(infnan(EDOM));
-#else	/* defined(vax)||defined(tahoe) */
-		return zero/zero;
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-#if defined(vax)||defined(tahoe)
-        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *pp & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		{ if (p != p) return p; else return x;}
-
-        else  if ( ((*pp & mexp)>>gap) <= 1 )
-                /* subnormal p, or almost subnormal p */
-            { double b; b=scalbn(1.0,(int)prep1);
-              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
-        else  if ( p >= novf/2)
-            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
-        else
-            {
-                dp=p+p; hp=p/2;
-                sign= *px & ~msign ;
-                *px &= msign       ;
-                while ( x > dp )
-                    {
-                        k=(*px & mexp) - (*pd & mexp) ;
-                        tmp = dp ;
-                        *pt += k ;
-
-#if defined(vax)||defined(tahoe)
-                        if( x < tmp ) *pt -= 128 ;
-#else	/* defined(vax)||defined(tahoe) */
-                        if( x < tmp ) *pt -= 16 ;
-#endif	/* defined(vax)||defined(tahoe) */
-
-                        x -= tmp ;
-                    }
-                if ( x > hp )
-                    { x -= p ;  if ( x >= hp ) x -= p ; }
-
-#if defined(vax)||defined(tahoe)
-		if (x)
-#endif	/* defined(vax)||defined(tahoe) */
-			*px ^= sign;
-                return( x);
-
-            }
-}
-
-
-double sqrt(x)
-double x;
-{
-        double q,s,b,r;
-        double t;
-	double const zero=0.0;
-        int m,n,i;
-#if defined(vax)||defined(tahoe)
-        int k=54;
-#else	/* defined(vax)||defined(tahoe) */
-        int k=51;
-#endif	/* defined(vax)||defined(tahoe) */
-
-    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-        if(x!=x||x==zero) return(x);
-
-    /* sqrt(negative) is invalid */
-        if(x<zero) {
-#if defined(vax)||defined(tahoe)
-		return (infnan(EDOM));	/* NaN */
-#else	/* defined(vax)||defined(tahoe) */
-		return(zero/zero);
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-    /* sqrt(INF) is INF */
-        if(!finite(x)) return(x);
-
-    /* scale x to [1,4) */
-        n=logb(x);
-        x=scalbn(x,-n);
-        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
-        m += n;
-        n = m/2;
-        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
-
-    /* generate sqrt(x) bit by bit (accumulating in q) */
-            q=1.0; s=4.0; x -= 1.0; r=1;
-            for(i=1;i<=k;i++) {
-                t=s+1; x *= 4; r /= 2;
-                if(t<=x) {
-                    s=t+t+2, x -= t; q += r;}
-                else
-                    s *= 2;
-                }
-
-    /* generate the last bit and determine the final rounding */
-            r/=2; x *= 4;
-            if(x==zero) goto end; 100+r; /* trigger inexact flag */
-            if(s<x) {
-                q+=r; x -=s; s += 2; s *= 2; x *= 4;
-                t = (x-s)-5;
-                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
-                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
-                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
-            else {
-                s *= 2; x *= 4;
-                t = (x-s)-1;
-                b=1.0+3*r/4; if(b==1.0) goto end;
-                b=1.0+r/4;   if(b>1.0) t=1;
-                if(t>=0) q+=r; }
-
-end:        return(scalbn(q,n));
-}
-
-#if 0
-/* DREM(X,Y)
- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
- * INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions (not on a VAX):
- *     swapINX(i): save inexact flag and reset it to "i"
- *     swapENI(e): save inexact enable and reset it to "e"
- */
-
-double drem(x,y)
-double x,y;
-{
-
-#ifdef national		/* order of words in floating point number */
-	static const n0=3,n1=2,n2=1,n3=0;
-#else /* VAX, SUN, ZILOG, TAHOE */
-	static const n0=0,n1=1,n2=2,n3=3;
-#endif
-
-	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
-	static const double zero=0.0;
-	double hy,y1,t,t1;
-	short k;
-	long n;
-	int i,e;
-	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
-			nx,nf,	  *py  =(unsigned short *) &y  ,
-			sign,	  *pt  =(unsigned short *) &t  ,
-				  *pt1 =(unsigned short *) &t1 ;
-
-	xexp = px[n0] & mexp ;	/* exponent of x */
-	yexp = py[n0] & mexp ;	/* exponent of y */
-	sign = px[n0] &0x8000;	/* sign of x     */
-
-/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
-	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
-	if( xexp == mexp )   return(zero/zero);      /* x is INF */
-	if(y==zero) return(y/y);
-
-/* save the inexact flag and inexact enable in i and e respectively
- * and reset them to zero
- */
-	i=swapINX(0);	e=swapENI(0);
-
-/* subnormal number */
-	nx=0;
-	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
-
-/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
-	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
-
-	nf=nx;
-	py[n0] &= 0x7fff;
-	px[n0] &= 0x7fff;
-
-/* mask off the least significant 27 bits of y */
-	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
-
-/* LOOP: argument reduction on x whenever x > y */
-loop:
-	while ( x > y )
-	{
-	    t=y;
-	    t1=y1;
-	    xexp=px[n0]&mexp;	  /* exponent of x */
-	    k=xexp-yexp-m25;
-	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
-		{pt[n0]+=k;pt1[n0]+=k;}
-	    n=x/t; x=(x-n*t1)-n*(t-t1);
-	}
-    /* end while (x > y) */
-
-	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
-
-/* final adjustment */
-
-	hy=y/2.0;
-	if(x>hy||((x==hy)&&n%2==1)) x-=y;
-	px[n0] ^= sign;
-	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
-
-/* restore inexact flag and inexact enable */
-	swapINX(i); swapENI(e);
-
-	return(x);
-}
-#endif
-
-#if 0
-/* SQRT
- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/22/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions:
- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
- */
-
-static const unsigned long table[] = {
-0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
-58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
-21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
-
-double newsqrt(x)
-double x;
-{
-        double y,z,t,addc(),subc()
-	double const b54=134217728.*134217728.; /* b54=2**54 */
-        long mx,scalx;
-	long const mexp=0x7ff00000;
-        int i,j,r,e,swapINX(),swapRM(),swapENI();
-        unsigned long *py=(unsigned long *) &y   ,
-                      *pt=(unsigned long *) &t   ,
-                      *px=(unsigned long *) &x   ;
-#ifdef national         /* ordering of word in a floating point number */
-        const int n0=1, n1=0;
-#else
-        const int n0=0, n1=1;
-#endif
-/* Rounding Mode:  RN ...round-to-nearest
- *                 RZ ...round-towards 0
- *                 RP ...round-towards +INF
- *		   RM ...round-towards -INF
- */
-        const int RN=0,RZ=1,RP=2,RM=3;
-				/* machine dependent: work on a Zilog Z8070
-                                 * and a National 32081 & 16081
-                                 */
-
-/* exceptions */
-	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
-        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
-
-/* save, reset, initialize */
-        e=swapENI(0);   /* ...save and reset the inexact enable */
-        i=swapINX(0);   /* ...save INEXACT flag */
-        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
-        scalx=0;
-
-/* subnormal number, scale up x to x*2**54 */
-        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
-
-/* scale x to avoid intermediate over/underflow:
- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
-        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
-        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
-
-/* magic initial approximation to almost 8 sig. bits */
-        py[n0]=(px[n0]>>1)+0x1ff80000;
-        py[n0]=py[n0]-table[(py[n0]>>15)&31];
-
-/* Heron's rule once with correction to improve y to almost 18 sig. bits */
-        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
-
-/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
-        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
-        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
-
-/* twiddle last bit to force y correctly rounded */
-        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
-        swapINX(0);     /* ...clear INEXACT flag */
-        swapENI(e);     /* ...restore inexact enable status */
-        t=x/y;          /* ...chopped quotient, possibly inexact */
-        j=swapINX(i);   /* ...read and restore inexact flag */
-        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
-        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
-        if(r==RN) t=addc(t);            /* ...t=t+ulp */
-        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
-        y=y+t;                          /* ...chopped sum */
-        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
-end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
-        swapRM(r);                      /* ...restore Rounding Mode */
-        return(y);
-}
-#endif

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3c6c7a24be0a9b65939e04e9200cffa361848c4b

commit 3c6c7a24be0a9b65939e04e9200cffa361848c4b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:03 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=525ab96dd43fa6cf5d4f972271afec8d0c64c034

commit 525ab96dd43fa6cf5d4f972271afec8d0c64c034
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Sat Aug 17 01:25:03 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=84b2959a1ba1806e2e666a90f9c9442950056937

commit 84b2959a1ba1806e2e666a90f9c9442950056937
Merge: 60e5c03 3f154dc 40bbc25
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 05:02:25 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=60e5c0377635cf5049bced52de2191a13e7c5826

commit 60e5c0377635cf5049bced52de2191a13e7c5826
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 05:02:25 2013 -0300

    push

diff --git a/meta b/meta
index 6ed244f..73cfd6c 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 442baf3f1962c1d771230d73814af2802c7939a3
-Head: 20cfc6cc280a99c7c5c322f9017a835c88940e9d
+Previous: 40bbc25610275afafd89540b32d05e827517453f
+Head: 3f154dc87b1520a90a6a60ee3f64313f37cbe6af
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 696f6dab87abef96e7993fda3f143bbdeb1f34e8
   unused-scalb-is-scalbn.patch: 8e4917e9cf19e11865e8257a23808022f8661b79
@@ -15,20 +15,20 @@ Applied:
   manual-document-mt-safety-debug.patch: 93d4600a981245726112f8653ae093789c5781bc
   manual-document-mt-safety-errno.patch: 1de4023eaef09c4f66ee8cda9af72299102a6a11
   manual-document-mt-safety-filesys.patch: 20cfc6cc280a99c7c5c322f9017a835c88940e9d
+  manual-document-mt-safety-getopt.patch: 9f6db34fbf2abae189d89ed0c55f39e8b6e1567d
+  manual-document-mt-safety-libdl.patch: c36ed4e31f0b32016ac4ff66c3f78b796cc60c4d
+  manual-document-mt-safety-job.patch: 5f947de962b5bc8635e43505a3e620452207d5e9
+  manual-document-mt-safety-lang.patch: 0bb0d49f0ce8515d039525a62babee3ee8041467
+  manual-document-mt-safety-llio.patch: d2d0d5547508d14d2b0f8f184b0cb6567a5f3b3b
+  manual-document-mt-safety-stdio.patch: 657da16d7c4dc73ea2a34ee6bfb0443c4f673a5e
+  wip-manual-document-mt-safety-locale.patch: fa0471dff7f451bafb03203df03f3ed569ae49bf
+  wip-manual-document-mt-safety-math.patch: 76f2d203176f382ef78fc4fe0489bdafb8f8a7e0
+  wip-manual-document-mt-safety-startup.patch: a79bade490b89767d07e59d0f983ca57e360c013
+  wip-manual-document-mt-safety-search.patch: 644f9527c94cba4151e00bc4c4f48b06eb1b6181
+  wip-manual-document-mt-safety-resource.patch: a71b7807900481c356bb648d1c572b7d8e50a9c2
+  wip-manual-document-mt-safety-string.patch: c72458cec4f9e82364a18bd1b2fce9e3ad5b7d0a
+  wip-manual-document-mt-safety-terminal.patch: 26939672f6abb9771a3c6832b6751de75dfd10ae
+  wip-manual-document-mt-safety-threads.patch: ffddbd41d3291cd5b098dde10f2e5253124b8813
+  wip-manual-document-mt-safety-time.patch: 3f154dc87b1520a90a6a60ee3f64313f37cbe6af
 Unapplied:
-  manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
-  manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
-  manual-document-mt-safety-job.patch: 1da38dc05daeed4e2d77f2923bb588bf259a7549
-  manual-document-mt-safety-lang.patch: 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
-  manual-document-mt-safety-llio.patch: 05c3b86470f7b78f9e514bd75ab3c578632a565e
-  manual-document-mt-safety-stdio.patch: e0a2fb9204aeacafd5d47526aca8d0a0d3516b24
-  wip-manual-document-mt-safety-locale.patch: 25716969ed7bd40d588ad87a4199c942e09cb030
-  wip-manual-document-mt-safety-math.patch: 2040739b74bca159cee9d298f3e2b9f1c6419c10
-  wip-manual-document-mt-safety-startup.patch: 740bcbf778d5290c8109de9b137c0490ca6bd44c
-  wip-manual-document-mt-safety-search.patch: fc167765de08d9cc6eeefe08d13b8042927d4c46
-  wip-manual-document-mt-safety-resource.patch: d44818daeeff4059e760cd5ea9f085bf182eb717
-  wip-manual-document-mt-safety-string.patch: 4081c255aff07502983a04524774c57774175012
-  wip-manual-document-mt-safety-terminal.patch: 3497681f7e488536c7e151c731fff1a56e012b7d
-  wip-manual-document-mt-safety-threads.patch: c0dc224a795deac0cc8aacebcade8ae14842af01
-  wip-manual-document-mt-safety-time.patch: ca6ff75c053a2dc37c42b12d238e3397c604960b
 Hidden:
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index 2b8d8e9..8e2d03d 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: cdc226230e45430773c967a5b19e606c9ac5c26c
-Top:    c68359c7dd9923875b40cb6b3e88ccee074aa1cf
+Bottom: 7fa654adb8d9082bddec3251021da106124844a9
+Top:    1b375656241ea5dc462b0293bea840893b4f359b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:36 -0300
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index dd27713..132b58d 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: 6e873142fc9dc8e6673808013c93d2c58ce98443
-Top:    c154c087966f912177b97ba1d21240ba8d015145
+Bottom: 3d94d1b2c3bcc092b3df348e4cb20a0cc767b53d
+Top:    2230f3ad68c0c728603008b7ef5a718ed6999f8a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 4c352a3..3958ddb 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: c154c087966f912177b97ba1d21240ba8d015145
-Top:    fc738e25133a6fc7d7d322e4aaa73f98f45ee411
+Bottom: 2230f3ad68c0c728603008b7ef5a718ed6999f8a
+Top:    03db9c41a3d5843dd52386d18ea8d5ae4fbaa790
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 8a38019..ba39838 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: c68359c7dd9923875b40cb6b3e88ccee074aa1cf
-Top:    6e873142fc9dc8e6673808013c93d2c58ce98443
+Bottom: 1b375656241ea5dc462b0293bea840893b4f359b
+Top:    3d94d1b2c3bcc092b3df348e4cb20a0cc767b53d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 28a9a28..6983a10 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: fc738e25133a6fc7d7d322e4aaa73f98f45ee411
-Top:    2ababec10bdc79e391c0dcfade6046586526bff9
+Bottom: 03db9c41a3d5843dd52386d18ea8d5ae4fbaa790
+Top:    f3d45f3a5174c95fda4ca14c3895dea94162ab84
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 3de963c..75523e4 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 2ababec10bdc79e391c0dcfade6046586526bff9
-Top:    d690f2a44f6c21eb342e9a3e7523dc72068502a3
+Bottom: f3d45f3a5174c95fda4ca14c3895dea94162ab84
+Top:    871bd834ba505ea12044bc0802ca64d8ac8687bd
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index a8e5755..bad17dd 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: d690f2a44f6c21eb342e9a3e7523dc72068502a3
-Top:    481e29ddef07c3cc482dc5a495a3e73b301a97f3
+Bottom: 871bd834ba505ea12044bc0802ca64d8ac8687bd
+Top:    7eb11a4a93285c6437a6a76fcfe3bdb4f7ab231e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 27aa7ee..51ccaa8 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 481e29ddef07c3cc482dc5a495a3e73b301a97f3
-Top:    9f9c0f06c0d34f15d4b04a2a152676ffd52e8df7
+Bottom: 7eb11a4a93285c6437a6a76fcfe3bdb4f7ab231e
+Top:    3e2da94112b66d7d2a5c0302a59092c351a9beae
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 0574acd..12c14b8 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 33e1f4fae29f5947f17f70936d3d315b01dff62f
-Top:    3e9c626e7fe436b3de908fc12ed371d066d8f391
+Bottom: 40ef432615a0798e880ce4bf9d0fed695d2d1fe1
+Top:    f2c97e058bb7c8c3103a9dd012dcb253194148a9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index ee61379..428a92c 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: cf86ac4dd59923640662568a6cede5e573261672
-Top:    33e1f4fae29f5947f17f70936d3d315b01dff62f
+Bottom: 502f555c935f829fc23dd8f2986455c72b952a62
+Top:    40ef432615a0798e880ce4bf9d0fed695d2d1fe1
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index a9dfcb5..75dc16a 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 9f9c0f06c0d34f15d4b04a2a152676ffd52e8df7
-Top:    cf86ac4dd59923640662568a6cede5e573261672
+Bottom: 3e2da94112b66d7d2a5c0302a59092c351a9beae
+Top:    502f555c935f829fc23dd8f2986455c72b952a62
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 395919e..b1bd108 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 3e9c626e7fe436b3de908fc12ed371d066d8f391
-Top:    c89da0b4d41a5745fd4e2551d486e9d9dd0d56d1
+Bottom: f2c97e058bb7c8c3103a9dd012dcb253194148a9
+Top:    06607cc945da4dc1e66af3ac0e88c7e5809f2083
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:24 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 5ed60c1..5ff28e9 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: c89da0b4d41a5745fd4e2551d486e9d9dd0d56d1
-Top:    8cea251adc99eb63d9bdc273e9afd6cd37042dcc
+Bottom: 06607cc945da4dc1e66af3ac0e88c7e5809f2083
+Top:    e12f04c0e8731c53e3e401f09ae09dffeff3baf4
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:53 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index c8cfc0b..53feaf3 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 8cea251adc99eb63d9bdc273e9afd6cd37042dcc
-Top:    62785faca46da74e7a2dced79e5b7e422ee534f3
+Bottom: e12f04c0e8731c53e3e401f09ae09dffeff3baf4
+Top:    c6a8bfa89bebdd2e843455e435782b1d9c2e6d4b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:35 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index c9b5cb3..76700ea 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 62785faca46da74e7a2dced79e5b7e422ee534f3
-Top:    85ac7ce981e14893c88c124b59ba947a9ba69034
+Bottom: c6a8bfa89bebdd2e843455e435782b1d9c2e6d4b
+Top:    7a82ed262dde6b6667a78cafef16ff35cc6f7086
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:50 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=40bbc25610275afafd89540b32d05e827517453f

commit 40bbc25610275afafd89540b32d05e827517453f
Merge: b0f64d7 442baf3 20cfc6c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 05:01:59 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b0f64d77f5745d18fead26bd46b129c7b5e22f9f

commit b0f64d77f5745d18fead26bd46b129c7b5e22f9f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 05:01:59 2013 -0300

    refresh

diff --git a/meta b/meta
index fb7b221..6ed244f 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 828a9e296e22f33484c009b88eaf45b523b64d83
-Head: cc424d6ed1b24e6a02244c623567f6471a362986
+Previous: 442baf3f1962c1d771230d73814af2802c7939a3
+Head: 20cfc6cc280a99c7c5c322f9017a835c88940e9d
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 696f6dab87abef96e7993fda3f143bbdeb1f34e8
   unused-scalb-is-scalbn.patch: 8e4917e9cf19e11865e8257a23808022f8661b79
@@ -14,8 +14,7 @@ Applied:
   manual-document-mt-safety-ctype.patch: f9c7c5a3a45afe0537eac97659a8035fcd353755
   manual-document-mt-safety-debug.patch: 93d4600a981245726112f8653ae093789c5781bc
   manual-document-mt-safety-errno.patch: 1de4023eaef09c4f66ee8cda9af72299102a6a11
-  manual-document-mt-safety-filesys.patch: fa001f73d60f803ba2877b9c8297e1b584e3b6ec
-  refresh-temp: cc424d6ed1b24e6a02244c623567f6471a362986
+  manual-document-mt-safety-filesys.patch: 20cfc6cc280a99c7c5c322f9017a835c88940e9d
 Unapplied:
   manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 7dc7236..397230b 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
 Bottom: e7b3cec4e03306c8e81023c08b98e74a0faacbbe
-Top:    e7b3cec4e03306c8e81023c08b98e74a0faacbbe
+Top:    7fa654adb8d9082bddec3251021da106124844a9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-16 04:52:55 -0300
 
@@ -12,4 +12,778 @@ for ChangeLog
 
 ---
 
-
+diff --git a/manual/filesys.texi b/manual/filesys.texi
+index 814c210..c7eb13b 100644
+--- a/manual/filesys.texi
++++ b/manual/filesys.texi
+@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c If buffer is NULL, this function calls malloc and realloc, and, in
++@c case of error, free.  Linux offers a getcwd syscall that we use on
++@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
++@c fallback, and on other systems, the generic implementation opens each
++@c parent directory with opendir, which allocates memory for the
++@c directory stream with malloc.  If a fstatat64 syscall is not
++@c available, very deep directory trees may also have to malloc to build
++@c longer sequences of ../../../... than those supported by a global
++@c const read-only string.
++
++@c linux/__getcwd
++@c  posix/__getcwd
++@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
++@c   lstat64 -> see its own entry
++@c   fstatat64
++@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
++@c   openat64_not_cancel_3, close_not_cancel_no_status
++@c   __fdopendir, __opendir, __readdir, rewinddir
+ The @code{getcwd} function returns an absolute file name representing
+ the current working directory, storing it in the character array
+ @var{buffer} that you provide.  The @var{size} argument is how you tell
+@@ -116,6 +135,9 @@ software.
+ @comment unistd.h
+ @comment BSD
+ @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
++@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
++@c Besides the getcwd safety issues, it calls strerror_r on error, which
++@c brings in all of the i18n issues.
+ This is similar to @code{getcwd}, but has no way to specify the size of
+ the buffer.  @Theglibc{} provides @code{getwd} only
+ for backwards compatibility with BSD.
+@@ -130,6 +152,9 @@ this function is deprecated.
+ @comment unistd.h
+ @comment GNU
+ @deftypefun {char *} get_current_dir_name (void)
++@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Besides getcwd, which this function calls as a fallback, it calls
++@c getenv, with the usual thread-safety issues that brings about.
+ @vindex PWD
+ This @code{get_current_dir_name} function is basically equivalent to
+ @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
+@@ -145,6 +170,7 @@ This function is a GNU extension.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int chdir (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is used to set the process's working directory to
+ @var{filename}.
+ 
+@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
+ @comment unistd.h
+ @comment XPG
+ @deftypefun int fchdir (int @var{filedes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is used to set the process's working directory to
+ directory associated with the file descriptor @var{filedes}.
+ 
+@@ -294,12 +321,14 @@ values and @code{st_mode} values:
+ @comment dirent.h
+ @comment BSD
+ @deftypefun int IFTODT (mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This returns the @code{d_type} value corresponding to @var{mode}.
+ @end deftypefun
+ 
+ @comment dirent.h
+ @comment BSD
+ @deftypefun mode_t DTTOIF (int @var{dtype})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This returns the @code{st_mode} value corresponding to @var{dtype}.
+ @end deftypefun
+ @end table
+@@ -342,6 +371,9 @@ the following functions.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun {DIR *} opendir (const char *@var{dirname})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Besides the safe syscall, we have to allocate the DIR object with
++@c __alloc_dir, that calls malloc.
+ The @code{opendir} function opens and returns a directory stream for
+ reading the directory whose file name is @var{dirname}.  The stream has
+ type @code{DIR *}.
+@@ -381,6 +413,8 @@ alternative interface can be used.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun {DIR *} fdopendir (int @var{fd})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c The DIR object is allocated with __alloc_dir, that calls malloc.
+ The @code{fdopendir} function works just like @code{opendir} but
+ instead of taking a file name and opening a file descriptor for the
+ directory the caller is required to provide a file descriptor.  This
+@@ -425,6 +459,7 @@ access.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int dirfd (DIR *@var{dirstream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The function @code{dirfd} returns the file descriptor associated with
+ the directory stream @var{dirstream}.  This descriptor can be used until
+ the directory is closed with @code{closedir}.  If the directory stream
+@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
++@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
++@c This function holds dirstream's non-recursive lock, which brings
++@c about the usual issues with locks and async signals and cancellation,
++@c but the lock taking is not enough to make the returned value safe to
++@c use, since it points to a stream's internal buffer that can be
++@c overwritten by subsequent calls or even released by closedir.
+ This function reads the next entry from the directory.  It normally
+ returns a pointer to a structure containing information about the
+ file.  This structure is associated with the @var{dirstream} handle
+@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ This function is a version of @code{readdir} which performs internal
+ locking.  Like @code{readdir} it returns the next entry from the
+ directory.  To prevent conflicts between simultaneously running
+@@ -549,6 +591,7 @@ of the last two functions.
+ @comment dirent.h
+ @comment LFS
+ @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
++@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{readdir64} function is just like the @code{readdir} function
+ except that it returns a pointer to a record of type @code{struct
+ dirent64}.  Some of the members of this data type (notably @code{d_ino})
+@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
+ @comment dirent.h
+ @comment LFS
+ @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{readdir64_r} function is equivalent to the @code{readdir_r}
+ function except that it takes parameters of base type @code{struct
+ dirent64} instead of @code{struct dirent} in the second and third
+@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun int closedir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
++@c No synchronization in the posix implementation, only in the hurd
++@c one.  This is regarded as safe because it is undefined behavior if
++@c other threads could still be using the dir stream while it's closed.
+ This function closes the directory stream @var{dirstream}.  It returns
+ @code{0} on success and @code{-1} on failure.
+ 
+@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun void rewinddir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{rewinddir} function is used to reinitialize the directory
+ stream @var{dirstream}, so that if you call @code{readdir} it
+ returns information about the first entry in the directory again.  This
+@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
+ @comment dirent.h
+ @comment BSD
+ @deftypefun {long int} telldir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
++@c The implementation is safe on most platforms, but on BSD it uses
++@c cookies, buckets and records, and the global array of pointers to
++@c dynamically allocated records is guarded by a non-recursive lock.
+ The @code{telldir} function returns the file position of the directory
+ stream @var{dirstream}.  You can use this value with @code{seekdir} to
+ restore the directory stream to that position.
+@@ -630,6 +683,10 @@ restore the directory stream to that position.
+ @comment dirent.h
+ @comment BSD
+ @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
++@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
++@c The implementation is safe on most platforms, but on BSD it uses
++@c cookies, buckets and records, and the global array of pointers to
++@c dynamically allocated records is guarded by a non-recursive lock.
+ The @code{seekdir} function sets the file position of the directory
+ stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
+ result of a previous call to @code{telldir} on this particular stream;
+@@ -649,6 +706,19 @@ the result.
+ @comment dirent.h
+ @comment BSD/SVID
+ @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
++@c The scandir function calls __opendirat, __readdir, and __closedir to
++@c go over the named dir; malloc and realloc to allocate the namelist
++@c and copies of each selected dirent, besides the selector, if given,
++@c and qsort and the cmp functions if the latter is given.  In spite of
++@c the cleanup handler that releases memory and the file descriptor in
++@c case of synchronous cancellation, an asynchronous cancellation may
++@c still leak memory and a file descriptor.  Although readdir is unsafe
++@c in general, the use of an internal dir stream for sequential scanning
++@c of the directory with copying of dirents before subsequent calls
++@c makes the use safe, and the fact that the dir stream is private to
++@c each scandir call does away with the lock issues in readdir and
++@c closedir.
+ 
+ The @code{scandir} function scans the contents of the directory selected
+ by @var{dir}.  The result in *@var{namelist} is an array of pointers to
+@@ -679,6 +749,8 @@ are very helpful for this purpose.
+ @comment dirent.h
+ @comment BSD/SVID
+ @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c Calls strcoll.
+ The @code{alphasort} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+ are not string pointers but instead they are of type
+@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c Calls strverscmp.
+ The @code{versionsort} function is like @code{alphasort} except that it
+ uses the @code{strverscmp} function internally.
+ @end deftypefun
+@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
++@c See scandir.
+ The @code{scandir64} function works like the @code{scandir} function
+ except that the directory entries it returns are described by elements
+ of type @w{@code{struct dirent64}}.  The function pointed to by
+@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c See alphasort.
+ The @code{alphasort64} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+ are not string pointers but instead they are of type
+@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c See versionsort.
+ The @code{versionsort64} function is like @code{alphasort64}, excepted that it
+ uses the @code{strverscmp} function internally.
+ @end deftypefun
+@@ -913,6 +993,8 @@ file was passed).
+ @comment ftw.h
+ @comment SVID
+ @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
++@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
++@c see nftw for safety details
+ The @code{ftw} function calls the callback function given in the
+ parameter @var{func} for every item which is found in the directory
+ specified by @var{filename} and all directories below.  The function
+@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
+ @comment ftw.h
+ @comment Unix98
+ @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
++@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+ This function is similar to @code{ftw} but it can work on filesystems
+ with large files.  File information is reported using a variable of type
+ @code{struct stat64} which is passed by reference to the callback
+@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
+ @comment ftw.h
+ @comment XPG4.2
+ @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
++@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
++@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
++@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
++@c  if FTW_CHDIR, also calls fchdir
++@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
++@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
++@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
++@c  find_object (tsearch) and add_object (tfind).
++@c Since each invocation of *ftw uses its own private search tree, none
++@c  of the search tree concurrency issues apply.
+ The @code{nftw} function works like the @code{ftw} functions.  They call
+ the callback function @var{func} for all items found in the directory
+ @var{filename} and below.  At most @var{descriptors} file descriptors
+@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
+ @comment ftw.h
+ @comment Unix98
+ @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
++@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+ This function is similar to @code{nftw} but it can work on filesystems
+ with large files.  File information is reported using a variable of type
+ @code{struct stat64} which is passed by reference to the callback
+@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{link} function makes a new link to the existing file named by
+ @var{oldname}, under the new name @var{newname}.
+ 
+@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{symlink} function makes a symbolic link to @var{oldname} named
+ @var{newname}.
+ 
+@@ -1223,6 +1320,7 @@ exceeded.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{readlink} function gets the value of the symbolic link
+ @var{filename}.  The file name that the link points to is copied into
+ @var{buffer}.  This file name string is @emph{not} null-terminated;
+@@ -1282,6 +1380,8 @@ names can refer to the same inode.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun {char *} canonicalize_file_name (const char *@var{name})
++@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Calls realpath.
+ 
+ The @code{canonicalize_file_name} function returns the absolute name of
+ the file named by @var{name} which contains no @code{.}, @code{..}
+@@ -1323,6 +1423,8 @@ where the result is placed in.
+ @comment stdlib.h
+ @comment XPG
+ @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
++@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
+ 
+ A call to @code{realpath} where the @var{resolved} parameter is
+ @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
+@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int unlink (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{unlink} function deletes the file name @var{filename}.  If
+ this is a file's sole name, the file itself is also deleted.  (Actually,
+ if any process has the file open when this happens, deletion is
+@@ -1404,6 +1507,7 @@ file system and can't be modified.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int rmdir (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @cindex directories, deleting
+ @cindex deleting a directory
+ The @code{rmdir} function deletes a directory.  The directory must be
+@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int remove (const char *@var{filename})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Calls unlink and rmdir.
+ This is the @w{ISO C} function to remove a file.  It works like
+ @code{unlink} for files and like @code{rmdir} for directories.
+ @code{remove} is declared in @file{stdio.h}.
+@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a rename syscall, there's an emulation with link
++@c and unlink, but it's racy, even more so if newname exists and is
++@c unlinked first.
+ The @code{rename} function renames the file @var{oldname} to
+ @var{newname}.  The file formerly accessible under the name
+ @var{oldname} is afterwards accessible as @var{newname} instead.  (If
+@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{mkdir} function creates a new, empty directory with name
+ @var{filename}.
+ 
+@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{stat} function returns information about the attributes of the
+ file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
+ 
+@@ -1908,6 +2020,7 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{stat} but it is also able to work on
+ files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ this the result is stored in a variable of type @code{struct stat64} to
+@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fstat} function is like @code{stat}, except that it takes an
+ open file descriptor as an argument instead of a file name.
+ @xref{Low-Level I/O}.
+@@ -1942,6 +2056,7 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{fstat} but is able to work on large
+ files on 32-bit platforms.  For large files the file descriptor
+ @var{filedes} should be obtained by @code{open64} or @code{creat64}.
+@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
+ replaces the interface for small files on 32-bit machines.
+ @end deftypefun
+ 
++@c fstatat will call alloca and snprintf if the syscall is not
++@c available.
++@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct system call through lxstat, sometimes with an xstat conv call
++@c afterwards.
+ The @code{lstat} function is like @code{stat}, except that it does not
+ follow symbolic links.  If @var{filename} is the name of a symbolic
+ link, @code{lstat} returns information about the link itself; otherwise
+@@ -1969,6 +2091,9 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct system call through lxstat64, sometimes with an xstat conv
++@c call afterwards.
+ This function is similar to @code{lstat} but it is also able to work on
+ files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ this the result is stored in a variable of type @code{struct stat64} to
+@@ -2007,12 +2132,14 @@ that file:
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISDIR (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a directory.
+ @end deftypefn
+ 
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISCHR (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a character special file (a
+ device like a terminal).
+ @end deftypefn
+@@ -2020,6 +2147,7 @@ device like a terminal).
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISBLK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a block special file (a device
+ like a disk).
+ @end deftypefn
+@@ -2027,12 +2155,14 @@ like a disk).
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISREG (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a regular file.
+ @end deftypefn
+ 
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISFIFO (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a FIFO special file, or a
+ pipe.  @xref{Pipes and FIFOs}.
+ @end deftypefn
+@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefn Macro int S_ISLNK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a symbolic link.
+ @xref{Symbolic Links}.
+ @end deftypefn
+@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefn Macro int S_ISSOCK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a socket.  @xref{Sockets}.
+ @end deftypefn
+ 
+@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX message queues as distinct objects and the
+ file is a message queue object, this macro returns a non-zero value.
+ In all other cases the result is zero.
+@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX semaphores as distinct objects and the
+ file is a semaphore object, this macro returns a non-zero value.
+ In all other cases the result is zero.
+@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX shared memory objects as distinct objects
+ and the file is an shared memory object, this macro returns a non-zero
+ value.  In all other cases the result is zero.
+@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{chown} function changes the owner of the file @var{filename} to
+ @var{owner}, and its group owner to @var{group}.
+ 
+@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is like @code{chown}, except that it changes the owner of the open
+ file with descriptor @var{filedes}.
+ 
+@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun mode_t umask (mode_t @var{mask})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{umask} function sets the file creation mask of the current
+ process to @var{mask}, and returns the previous value of the file
+ creation mask.
+@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefun mode_t getumask (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Return the current value of the file creation mask for the current
+ process.  This function is a GNU extension and is only available on
+ @gnuhurdsystems{}.
+@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{chmod} function sets the access permission bits for the file
+ named by @var{filename} to @var{mode}.
+ 
+@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is like @code{chmod}, except that it changes the permissions of the
+ currently open file given by @var{filedes}.
+ 
+@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int access (const char *@var{filename}, int @var{how})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{access} function checks to see whether the file named by
+ @var{filename} can be accessed in the way specified by the @var{how}
+ argument.  The @var{how} argument either can be the bitwise OR of the
+@@ -2765,6 +2907,9 @@ This is the modification time for the file.
+ @comment utime.h
+ @comment POSIX.1
+ @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a utime syscall, it non-atomically converts times
++@c to a struct timeval and calls utimes.
+ This function is used to modify the file times associated with the file
+ named @var{filename}.
+ 
+@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a utimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall, or to
++@c struct utimbuf and calls utime.
+ This function sets the file access and modification times of the file
+ @var{filename}.  The new file access time is specified by
+ @code{@var{tvp}[0]}, and the new modification time by
+@@ -2830,6 +2979,9 @@ function.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Since there's no lutimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall.
+ This function is like @code{utimes}, except that it does not follow
+ symbolic links.  If @var{filename} is the name of a symbolic link,
+ @code{lutimes} sets the file access and modification times of the
+@@ -2846,6 +2998,10 @@ function.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Since there's no futimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall, falling back
++@c to utimes on a /proc/self/fd symlink.
+ This function is like @code{utimes}, except that it takes an open file
+ descriptor as an argument instead of a file name.  @xref{Low-Level
+ I/O}.  This function comes from FreeBSD, and is not available on all
+@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
+ @comment unistd.h
+ @comment X/Open
+ @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a truncate syscall, we use open and ftruncate.
+ 
+ The @code{truncate} function changes the size of @var{filename} to
+ @var{length}.  If @var{length} is shorter than the previous length, data
+@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a syscall, try truncate if length fits.
+ This function is similar to the @code{truncate} function.  The
+ difference is that the @var{length} argument is 64 bits wide even on 32
+ bits machines, which allows the handling of files with sizes up to
+@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
+ @comment unistd.h
+ @comment POSIX
+ @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ This is like @code{truncate}, but it works on a file descriptor @var{fd}
+ for an opened file instead of a file name to identify the object.  The
+@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a syscall, try ftruncate if length fits.
+ This function is similar to the @code{ftruncate} function.  The
+ difference is that the @var{length} argument is 64 bits wide even on 32
+ bits machines which allows the handling of files with sizes up to
+@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Instead of issuing the syscall directly, we go through xmknod.
++@c Although the internal xmknod takes a dev_t*, that could lead to
++@c xguargs races, it's passed a pointer to mknod's dev.
+ The @code{mknod} function makes a special file with name @var{filename}.
+ The @var{mode} specifies the mode of the file, and may include the various
+ special file bits, such as @code{S_IFCHR} (for a character special file)
+@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {FILE *} tmpfile (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
++@c The unsafety issues are those of fdopen, plus fdleak because of the
++@c open.
++@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
++@c  libc_secure_genenv only if try_tmpdir
++@c  xstat64, strlen, strcmp, sprintf
++@c __gen_tempname (internal tmpl, __GT_FILE) ok
++@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
++@c  HP_TIMING_NOW if available ok
++@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
++@c  static value is used and modified without synchronization ok
++@c   but the use is as a source of non-cryptographic randomness
++@c   with retries in case of collision, so it should be safe
++@c unlink, fdopen
+ This function creates a temporary binary file for update mode, as if by
+ calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
+ automatically when it is closed or when the program terminates.  (On
+@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun {FILE *} tmpfile64 (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+ This function is similar to @code{tmpfile}, but the stream it returns a
+ pointer to was opened using @code{tmpfile64}.  Therefore this stream can
+ be used for files larger then @math{2^31} bytes on 32-bit machines.
+@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {char *} tmpnam (char *@var{result})
++@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
++@c The passed-in buffer should not be modified concurrently with the
++@c call.
++@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
++@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+ This function constructs and returns a valid file name that does not
+ refer to any existing file.  If the @var{result} argument is a null
+ pointer, the return value is a pointer to an internal static string,
+@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {char *} tmpnam_r (char *@var{result})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+ This function is nearly identical to the @code{tmpnam} function, except
+ that if @var{result} is a null pointer it returns a null pointer.
+ 
+@@ -3225,6 +3413,13 @@ never less than @code{25}.
+ @comment stdio.h
+ @comment SVID
+ @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
++@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
++@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
++@c even with a non-NULL dir, which makes this thread-unsafe.
++@c
++@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
++@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
++@c strdup
+ This function generates a unique temporary file name.  If @var{prefix}
+ is not a null pointer, up to five characters of this string are used as
+ a prefix for the file name.  The return value is a string newly
+@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
+ @comment stdlib.h
+ @comment Unix
+ @deftypefun {char *} mktemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
++@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
+ The @code{mktemp} function generates a unique file name by modifying
+ @var{template} as described above.  If successful, it returns
+ @var{template} as modified.  If @code{mktemp} cannot find a unique file
+@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun int mkstemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
++@c __gen_tempname (caller tmpl, __GT_FILE) ok
+ The @code{mkstemp} function generates a unique file name just as
+ @code{mktemp} does, but it also opens the file for you with @code{open}
+ (@pxref{Opening and Closing Files}).  If successful, it modifies
+@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun {char *} mkdtemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
++@c __gen_tempname (caller tmpl, __GT_DIR) ok
+ The @code{mkdtemp} function creates a directory with a unique name.  If
+ it succeeds, it overwrites @var{template} with the name of the
+ directory, and returns @var{template}.  As with @code{mktemp} and
+@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
+ @xref{Creating Directories}.
+ 
+ The @code{mkdtemp} function comes from OpenBSD.
++
++@c FIXME these are undocumented:
++@c faccessat
++@c fchmodat
++@c fchownat
++@c futimesat
++@c fstatat (there's a commented-out safety assessment for this one)
++@c linkat
++@c mkdirat
++@c mkfifoat
++@c name_to_handle_at
++@c openat
++@c open_by_handle_at
++@c readlinkat
++@c renameat
++@c scandirat
++@c symlinkat
++@c unlinkat
++@c utimensat
++@c mknodat
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 0a01119..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,784 +0,0 @@
-Bottom: e7b3cec4e03306c8e81023c08b98e74a0faacbbe
-Top:    7fa654adb8d9082bddec3251021da106124844a9
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 05:01:58 -0300
-
-Refresh of manual-document-mt-safety-filesys.patch
-
----
-
-diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 814c210..c7eb13b 100644
---- a/manual/filesys.texi
-+++ b/manual/filesys.texi
-@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
- @comment unistd.h
- @comment POSIX.1
- @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c If buffer is NULL, this function calls malloc and realloc, and, in
-+@c case of error, free.  Linux offers a getcwd syscall that we use on
-+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
-+@c fallback, and on other systems, the generic implementation opens each
-+@c parent directory with opendir, which allocates memory for the
-+@c directory stream with malloc.  If a fstatat64 syscall is not
-+@c available, very deep directory trees may also have to malloc to build
-+@c longer sequences of ../../../... than those supported by a global
-+@c const read-only string.
-+
-+@c linux/__getcwd
-+@c  posix/__getcwd
-+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
-+@c   lstat64 -> see its own entry
-+@c   fstatat64
-+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
-+@c   openat64_not_cancel_3, close_not_cancel_no_status
-+@c   __fdopendir, __opendir, __readdir, rewinddir
- The @code{getcwd} function returns an absolute file name representing
- the current working directory, storing it in the character array
- @var{buffer} that you provide.  The @var{size} argument is how you tell
-@@ -116,6 +135,9 @@ software.
- @comment unistd.h
- @comment BSD
- @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
-+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
-+@c Besides the getcwd safety issues, it calls strerror_r on error, which
-+@c brings in all of the i18n issues.
- This is similar to @code{getcwd}, but has no way to specify the size of
- the buffer.  @Theglibc{} provides @code{getwd} only
- for backwards compatibility with BSD.
-@@ -130,6 +152,9 @@ this function is deprecated.
- @comment unistd.h
- @comment GNU
- @deftypefun {char *} get_current_dir_name (void)
-+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Besides getcwd, which this function calls as a fallback, it calls
-+@c getenv, with the usual thread-safety issues that brings about.
- @vindex PWD
- This @code{get_current_dir_name} function is basically equivalent to
- @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
-@@ -145,6 +170,7 @@ This function is a GNU extension.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int chdir (const char *@var{filename})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is used to set the process's working directory to
- @var{filename}.
- 
-@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
- @comment unistd.h
- @comment XPG
- @deftypefun int fchdir (int @var{filedes})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is used to set the process's working directory to
- directory associated with the file descriptor @var{filedes}.
- 
-@@ -294,12 +321,14 @@ values and @code{st_mode} values:
- @comment dirent.h
- @comment BSD
- @deftypefun int IFTODT (mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This returns the @code{d_type} value corresponding to @var{mode}.
- @end deftypefun
- 
- @comment dirent.h
- @comment BSD
- @deftypefun mode_t DTTOIF (int @var{dtype})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This returns the @code{st_mode} value corresponding to @var{dtype}.
- @end deftypefun
- @end table
-@@ -342,6 +371,9 @@ the following functions.
- @comment dirent.h
- @comment POSIX.1
- @deftypefun {DIR *} opendir (const char *@var{dirname})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Besides the safe syscall, we have to allocate the DIR object with
-+@c __alloc_dir, that calls malloc.
- The @code{opendir} function opens and returns a directory stream for
- reading the directory whose file name is @var{dirname}.  The stream has
- type @code{DIR *}.
-@@ -381,6 +413,8 @@ alternative interface can be used.
- @comment dirent.h
- @comment GNU
- @deftypefun {DIR *} fdopendir (int @var{fd})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c The DIR object is allocated with __alloc_dir, that calls malloc.
- The @code{fdopendir} function works just like @code{opendir} but
- instead of taking a file name and opening a file descriptor for the
- directory the caller is required to provide a file descriptor.  This
-@@ -425,6 +459,7 @@ access.
- @comment dirent.h
- @comment GNU
- @deftypefun int dirfd (DIR *@var{dirstream})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The function @code{dirfd} returns the file descriptor associated with
- the directory stream @var{dirstream}.  This descriptor can be used until
- the directory is closed with @code{closedir}.  If the directory stream
-@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
- @comment dirent.h
- @comment POSIX.1
- @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
-+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
-+@c This function holds dirstream's non-recursive lock, which brings
-+@c about the usual issues with locks and async signals and cancellation,
-+@c but the lock taking is not enough to make the returned value safe to
-+@c use, since it points to a stream's internal buffer that can be
-+@c overwritten by subsequent calls or even released by closedir.
- This function reads the next entry from the directory.  It normally
- returns a pointer to a structure containing information about the
- file.  This structure is associated with the @var{dirstream} handle
-@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
- @comment dirent.h
- @comment GNU
- @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- This function is a version of @code{readdir} which performs internal
- locking.  Like @code{readdir} it returns the next entry from the
- directory.  To prevent conflicts between simultaneously running
-@@ -549,6 +591,7 @@ of the last two functions.
- @comment dirent.h
- @comment LFS
- @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
-+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- The @code{readdir64} function is just like the @code{readdir} function
- except that it returns a pointer to a record of type @code{struct
- dirent64}.  Some of the members of this data type (notably @code{d_ino})
-@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
- @comment dirent.h
- @comment LFS
- @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- The @code{readdir64_r} function is equivalent to the @code{readdir_r}
- function except that it takes parameters of base type @code{struct
- dirent64} instead of @code{struct dirent} in the second and third
-@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
- @comment dirent.h
- @comment POSIX.1
- @deftypefun int closedir (DIR *@var{dirstream})
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
-+@c No synchronization in the posix implementation, only in the hurd
-+@c one.  This is regarded as safe because it is undefined behavior if
-+@c other threads could still be using the dir stream while it's closed.
- This function closes the directory stream @var{dirstream}.  It returns
- @code{0} on success and @code{-1} on failure.
- 
-@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
- @comment dirent.h
- @comment POSIX.1
- @deftypefun void rewinddir (DIR *@var{dirstream})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- The @code{rewinddir} function is used to reinitialize the directory
- stream @var{dirstream}, so that if you call @code{readdir} it
- returns information about the first entry in the directory again.  This
-@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
- @comment dirent.h
- @comment BSD
- @deftypefun {long int} telldir (DIR *@var{dirstream})
-+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
-+@c The implementation is safe on most platforms, but on BSD it uses
-+@c cookies, buckets and records, and the global array of pointers to
-+@c dynamically allocated records is guarded by a non-recursive lock.
- The @code{telldir} function returns the file position of the directory
- stream @var{dirstream}.  You can use this value with @code{seekdir} to
- restore the directory stream to that position.
-@@ -630,6 +683,10 @@ restore the directory stream to that position.
- @comment dirent.h
- @comment BSD
- @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
-+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
-+@c The implementation is safe on most platforms, but on BSD it uses
-+@c cookies, buckets and records, and the global array of pointers to
-+@c dynamically allocated records is guarded by a non-recursive lock.
- The @code{seekdir} function sets the file position of the directory
- stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
- result of a previous call to @code{telldir} on this particular stream;
-@@ -649,6 +706,19 @@ the result.
- @comment dirent.h
- @comment BSD/SVID
- @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
-+@c The scandir function calls __opendirat, __readdir, and __closedir to
-+@c go over the named dir; malloc and realloc to allocate the namelist
-+@c and copies of each selected dirent, besides the selector, if given,
-+@c and qsort and the cmp functions if the latter is given.  In spite of
-+@c the cleanup handler that releases memory and the file descriptor in
-+@c case of synchronous cancellation, an asynchronous cancellation may
-+@c still leak memory and a file descriptor.  Although readdir is unsafe
-+@c in general, the use of an internal dir stream for sequential scanning
-+@c of the directory with copying of dirents before subsequent calls
-+@c makes the use safe, and the fact that the dir stream is private to
-+@c each scandir call does away with the lock issues in readdir and
-+@c closedir.
- 
- The @code{scandir} function scans the contents of the directory selected
- by @var{dir}.  The result in *@var{namelist} is an array of pointers to
-@@ -679,6 +749,8 @@ are very helpful for this purpose.
- @comment dirent.h
- @comment BSD/SVID
- @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@c Calls strcoll.
- The @code{alphasort} function behaves like the @code{strcoll} function
- (@pxref{String/Array Comparison}).  The difference is that the arguments
- are not string pointers but instead they are of type
-@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
- @comment dirent.h
- @comment GNU
- @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-+@c Calls strverscmp.
- The @code{versionsort} function is like @code{alphasort} except that it
- uses the @code{strverscmp} function internally.
- @end deftypefun
-@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
- @comment dirent.h
- @comment GNU
- @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
-+@c See scandir.
- The @code{scandir64} function works like the @code{scandir} function
- except that the directory entries it returns are described by elements
- of type @w{@code{struct dirent64}}.  The function pointed to by
-@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
- @comment dirent.h
- @comment GNU
- @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@c See alphasort.
- The @code{alphasort64} function behaves like the @code{strcoll} function
- (@pxref{String/Array Comparison}).  The difference is that the arguments
- are not string pointers but instead they are of type
-@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
- @comment dirent.h
- @comment GNU
- @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-+@c See versionsort.
- The @code{versionsort64} function is like @code{alphasort64}, excepted that it
- uses the @code{strverscmp} function internally.
- @end deftypefun
-@@ -913,6 +993,8 @@ file was passed).
- @comment ftw.h
- @comment SVID
- @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
-+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
-+@c see nftw for safety details
- The @code{ftw} function calls the callback function given in the
- parameter @var{func} for every item which is found in the directory
- specified by @var{filename} and all directories below.  The function
-@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
- @comment ftw.h
- @comment Unix98
- @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
-+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
- This function is similar to @code{ftw} but it can work on filesystems
- with large files.  File information is reported using a variable of type
- @code{struct stat64} which is passed by reference to the callback
-@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
- @comment ftw.h
- @comment XPG4.2
- @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
-+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
-+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
-+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
-+@c  if FTW_CHDIR, also calls fchdir
-+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
-+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
-+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
-+@c  find_object (tsearch) and add_object (tfind).
-+@c Since each invocation of *ftw uses its own private search tree, none
-+@c  of the search tree concurrency issues apply.
- The @code{nftw} function works like the @code{ftw} functions.  They call
- the callback function @var{func} for all items found in the directory
- @var{filename} and below.  At most @var{descriptors} file descriptors
-@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
- @comment ftw.h
- @comment Unix98
- @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
-+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
- This function is similar to @code{nftw} but it can work on filesystems
- with large files.  File information is reported using a variable of type
- @code{struct stat64} which is passed by reference to the callback
-@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{link} function makes a new link to the existing file named by
- @var{oldname}, under the new name @var{newname}.
- 
-@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
- @comment unistd.h
- @comment BSD
- @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{symlink} function makes a symbolic link to @var{oldname} named
- @var{newname}.
- 
-@@ -1223,6 +1320,7 @@ exceeded.
- @comment unistd.h
- @comment BSD
- @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{readlink} function gets the value of the symbolic link
- @var{filename}.  The file name that the link points to is copied into
- @var{buffer}.  This file name string is @emph{not} null-terminated;
-@@ -1282,6 +1380,8 @@ names can refer to the same inode.
- @comment stdlib.h
- @comment GNU
- @deftypefun {char *} canonicalize_file_name (const char *@var{name})
-+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Calls realpath.
- 
- The @code{canonicalize_file_name} function returns the absolute name of
- the file named by @var{name} which contains no @code{.}, @code{..}
-@@ -1323,6 +1423,8 @@ where the result is placed in.
- @comment stdlib.h
- @comment XPG
- @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
-+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
- 
- A call to @code{realpath} where the @var{resolved} parameter is
- @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
-@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int unlink (const char *@var{filename})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{unlink} function deletes the file name @var{filename}.  If
- this is a file's sole name, the file itself is also deleted.  (Actually,
- if any process has the file open when this happens, deletion is
-@@ -1404,6 +1507,7 @@ file system and can't be modified.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int rmdir (const char *@var{filename})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- @cindex directories, deleting
- @cindex deleting a directory
- The @code{rmdir} function deletes a directory.  The directory must be
-@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
- @comment stdio.h
- @comment ISO
- @deftypefun int remove (const char *@var{filename})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Calls unlink and rmdir.
- This is the @w{ISO C} function to remove a file.  It works like
- @code{unlink} for files and like @code{rmdir} for directories.
- @code{remove} is declared in @file{stdio.h}.
-@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
- @comment stdio.h
- @comment ISO
- @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c In the absence of a rename syscall, there's an emulation with link
-+@c and unlink, but it's racy, even more so if newname exists and is
-+@c unlinked first.
- The @code{rename} function renames the file @var{oldname} to
- @var{newname}.  The file formerly accessible under the name
- @var{oldname} is afterwards accessible as @var{newname} instead.  (If
-@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{mkdir} function creates a new, empty directory with name
- @var{filename}.
- 
-@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{stat} function returns information about the attributes of the
- file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
- 
-@@ -1908,6 +2020,7 @@ replaces the normal implementation.
- @comment sys/stat.h
- @comment Unix98
- @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is similar to @code{stat} but it is also able to work on
- files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
- this the result is stored in a variable of type @code{struct stat64} to
-@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{fstat} function is like @code{stat}, except that it takes an
- open file descriptor as an argument instead of a file name.
- @xref{Low-Level I/O}.
-@@ -1942,6 +2056,7 @@ replaces the normal implementation.
- @comment sys/stat.h
- @comment Unix98
- @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is similar to @code{fstat} but is able to work on large
- files on 32-bit platforms.  For large files the file descriptor
- @var{filedes} should be obtained by @code{open64} or @code{creat64}.
-@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
- replaces the interface for small files on 32-bit machines.
- @end deftypefun
- 
-+@c fstatat will call alloca and snprintf if the syscall is not
-+@c available.
-+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
-+
- @comment sys/stat.h
- @comment BSD
- @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Direct system call through lxstat, sometimes with an xstat conv call
-+@c afterwards.
- The @code{lstat} function is like @code{stat}, except that it does not
- follow symbolic links.  If @var{filename} is the name of a symbolic
- link, @code{lstat} returns information about the link itself; otherwise
-@@ -1969,6 +2091,9 @@ replaces the normal implementation.
- @comment sys/stat.h
- @comment Unix98
- @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Direct system call through lxstat64, sometimes with an xstat conv
-+@c call afterwards.
- This function is similar to @code{lstat} but it is also able to work on
- files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
- this the result is stored in a variable of type @code{struct stat64} to
-@@ -2007,12 +2132,14 @@ that file:
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISDIR (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a directory.
- @end deftypefn
- 
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISCHR (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a character special file (a
- device like a terminal).
- @end deftypefn
-@@ -2020,6 +2147,7 @@ device like a terminal).
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISBLK (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a block special file (a device
- like a disk).
- @end deftypefn
-@@ -2027,12 +2155,14 @@ like a disk).
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISREG (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a regular file.
- @end deftypefn
- 
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISFIFO (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a FIFO special file, or a
- pipe.  @xref{Pipes and FIFOs}.
- @end deftypefn
-@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
- @comment sys/stat.h
- @comment GNU
- @deftypefn Macro int S_ISLNK (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a symbolic link.
- @xref{Symbolic Links}.
- @end deftypefn
-@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
- @comment sys/stat.h
- @comment GNU
- @deftypefn Macro int S_ISSOCK (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a socket.  @xref{Sockets}.
- @end deftypefn
- 
-@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If the system implement POSIX message queues as distinct objects and the
- file is a message queue object, this macro returns a non-zero value.
- In all other cases the result is zero.
-@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If the system implement POSIX semaphores as distinct objects and the
- file is a semaphore object, this macro returns a non-zero value.
- In all other cases the result is zero.
-@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If the system implement POSIX shared memory objects as distinct objects
- and the file is an shared memory object, this macro returns a non-zero
- value.  In all other cases the result is zero.
-@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{chown} function changes the owner of the file @var{filename} to
- @var{owner}, and its group owner to @var{group}.
- 
-@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
- @comment unistd.h
- @comment BSD
- @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is like @code{chown}, except that it changes the owner of the open
- file with descriptor @var{filedes}.
- 
-@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun mode_t umask (mode_t @var{mask})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{umask} function sets the file creation mask of the current
- process to @var{mask}, and returns the previous value of the file
- creation mask.
-@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
- @comment sys/stat.h
- @comment GNU
- @deftypefun mode_t getumask (void)
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Return the current value of the file creation mask for the current
- process.  This function is a GNU extension and is only available on
- @gnuhurdsystems{}.
-@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{chmod} function sets the access permission bits for the file
- named by @var{filename} to @var{mode}.
- 
-@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
- @comment sys/stat.h
- @comment BSD
- @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is like @code{chmod}, except that it changes the permissions of the
- currently open file given by @var{filedes}.
- 
-@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int access (const char *@var{filename}, int @var{how})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{access} function checks to see whether the file named by
- @var{filename} can be accessed in the way specified by the @var{how}
- argument.  The @var{how} argument either can be the bitwise OR of the
-@@ -2765,6 +2907,9 @@ This is the modification time for the file.
- @comment utime.h
- @comment POSIX.1
- @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c In the absence of a utime syscall, it non-atomically converts times
-+@c to a struct timeval and calls utimes.
- This function is used to modify the file times associated with the file
- named @var{filename}.
- 
-@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
- @comment sys/time.h
- @comment BSD
- @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c In the absence of a utimes syscall, it non-atomically converts tvp
-+@c to struct timespec array and issues a utimensat syscall, or to
-+@c struct utimbuf and calls utime.
- This function sets the file access and modification times of the file
- @var{filename}.  The new file access time is specified by
- @code{@var{tvp}[0]}, and the new modification time by
-@@ -2830,6 +2979,9 @@ function.
- @comment sys/time.h
- @comment BSD
- @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Since there's no lutimes syscall, it non-atomically converts tvp
-+@c to struct timespec array and issues a utimensat syscall.
- This function is like @code{utimes}, except that it does not follow
- symbolic links.  If @var{filename} is the name of a symbolic link,
- @code{lutimes} sets the file access and modification times of the
-@@ -2846,6 +2998,10 @@ function.
- @comment sys/time.h
- @comment BSD
- @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Since there's no futimes syscall, it non-atomically converts tvp
-+@c to struct timespec array and issues a utimensat syscall, falling back
-+@c to utimes on a /proc/self/fd symlink.
- This function is like @code{utimes}, except that it takes an open file
- descriptor as an argument instead of a file name.  @xref{Low-Level
- I/O}.  This function comes from FreeBSD, and is not available on all
-@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
- @comment unistd.h
- @comment X/Open
- @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c In the absence of a truncate syscall, we use open and ftruncate.
- 
- The @code{truncate} function changes the size of @var{filename} to
- @var{length}.  If @var{length} is shorter than the previous length, data
-@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
- @comment unistd.h
- @comment Unix98
- @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c In the absence of a syscall, try truncate if length fits.
- This function is similar to the @code{truncate} function.  The
- difference is that the @var{length} argument is 64 bits wide even on 32
- bits machines, which allows the handling of files with sizes up to
-@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
- @comment unistd.h
- @comment POSIX
- @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- This is like @code{truncate}, but it works on a file descriptor @var{fd}
- for an opened file instead of a file name to identify the object.  The
-@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
- @comment unistd.h
- @comment Unix98
- @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c In the absence of a syscall, try ftruncate if length fits.
- This function is similar to the @code{ftruncate} function.  The
- difference is that the @var{length} argument is 64 bits wide even on 32
- bits machines which allows the handling of files with sizes up to
-@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
- @comment sys/stat.h
- @comment BSD
- @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Instead of issuing the syscall directly, we go through xmknod.
-+@c Although the internal xmknod takes a dev_t*, that could lead to
-+@c xguargs races, it's passed a pointer to mknod's dev.
- The @code{mknod} function makes a special file with name @var{filename}.
- The @var{mode} specifies the mode of the file, and may include the various
- special file bits, such as @code{S_IFCHR} (for a character special file)
-@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
- @comment stdio.h
- @comment ISO
- @deftypefun {FILE *} tmpfile (void)
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
-+@c The unsafety issues are those of fdopen, plus fdleak because of the
-+@c open.
-+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
-+@c  libc_secure_genenv only if try_tmpdir
-+@c  xstat64, strlen, strcmp, sprintf
-+@c __gen_tempname (internal tmpl, __GT_FILE) ok
-+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
-+@c  HP_TIMING_NOW if available ok
-+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
-+@c  static value is used and modified without synchronization ok
-+@c   but the use is as a source of non-cryptographic randomness
-+@c   with retries in case of collision, so it should be safe
-+@c unlink, fdopen
- This function creates a temporary binary file for update mode, as if by
- calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
- automatically when it is closed or when the program terminates.  (On
-@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
- @comment stdio.h
- @comment Unix98
- @deftypefun {FILE *} tmpfile64 (void)
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
- This function is similar to @code{tmpfile}, but the stream it returns a
- pointer to was opened using @code{tmpfile64}.  Therefore this stream can
- be used for files larger then @math{2^31} bytes on 32-bit machines.
-@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
- @comment stdio.h
- @comment ISO
- @deftypefun {char *} tmpnam (char *@var{result})
-+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
-+@c The passed-in buffer should not be modified concurrently with the
-+@c call.
-+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
-+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
- This function constructs and returns a valid file name that does not
- refer to any existing file.  If the @var{result} argument is a null
- pointer, the return value is a pointer to an internal static string,
-@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
- @comment stdio.h
- @comment GNU
- @deftypefun {char *} tmpnam_r (char *@var{result})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
- This function is nearly identical to the @code{tmpnam} function, except
- that if @var{result} is a null pointer it returns a null pointer.
- 
-@@ -3225,6 +3413,13 @@ never less than @code{25}.
- @comment stdio.h
- @comment SVID
- @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
-+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
-+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
-+@c even with a non-NULL dir, which makes this thread-unsafe.
-+@c
-+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
-+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
-+@c strdup
- This function generates a unique temporary file name.  If @var{prefix}
- is not a null pointer, up to five characters of this string are used as
- a prefix for the file name.  The return value is a string newly
-@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
- @comment stdlib.h
- @comment Unix
- @deftypefun {char *} mktemp (char *@var{template})
-+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
-+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
- The @code{mktemp} function generates a unique file name by modifying
- @var{template} as described above.  If successful, it returns
- @var{template} as modified.  If @code{mktemp} cannot find a unique file
-@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
- @comment stdlib.h
- @comment BSD
- @deftypefun int mkstemp (char *@var{template})
-+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
-+@c __gen_tempname (caller tmpl, __GT_FILE) ok
- The @code{mkstemp} function generates a unique file name just as
- @code{mktemp} does, but it also opens the file for you with @code{open}
- (@pxref{Opening and Closing Files}).  If successful, it modifies
-@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
- @comment stdlib.h
- @comment BSD
- @deftypefun {char *} mkdtemp (char *@var{template})
-+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
-+@c __gen_tempname (caller tmpl, __GT_DIR) ok
- The @code{mkdtemp} function creates a directory with a unique name.  If
- it succeeds, it overwrites @var{template} with the name of the
- directory, and returns @var{template}.  As with @code{mktemp} and
-@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
- @xref{Creating Directories}.
- 
- The @code{mkdtemp} function comes from OpenBSD.
-+
-+@c FIXME these are undocumented:
-+@c faccessat
-+@c fchmodat
-+@c fchownat
-+@c futimesat
-+@c fstatat (there's a commented-out safety assessment for this one)
-+@c linkat
-+@c mkdirat
-+@c mkfifoat
-+@c name_to_handle_at
-+@c openat
-+@c open_by_handle_at
-+@c readlinkat
-+@c renameat
-+@c scandirat
-+@c symlinkat
-+@c unlinkat
-+@c utimensat
-+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=442baf3f1962c1d771230d73814af2802c7939a3

commit 442baf3f1962c1d771230d73814af2802c7939a3
Merge: bf2bd3b 828a9e2 cc424d6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 05:01:59 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bf2bd3bef2433aa3ffb25a44cdb74f74f27231c6

commit bf2bd3bef2433aa3ffb25a44cdb74f74f27231c6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 05:01:59 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index b006b37..fb7b221 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: bcb5ff7712c3f8a6dc163c0612292f179920c79c
-Head: fa001f73d60f803ba2877b9c8297e1b584e3b6ec
+Previous: 828a9e296e22f33484c009b88eaf45b523b64d83
+Head: cc424d6ed1b24e6a02244c623567f6471a362986
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 696f6dab87abef96e7993fda3f143bbdeb1f34e8
   unused-scalb-is-scalbn.patch: 8e4917e9cf19e11865e8257a23808022f8661b79
@@ -15,6 +15,7 @@ Applied:
   manual-document-mt-safety-debug.patch: 93d4600a981245726112f8653ae093789c5781bc
   manual-document-mt-safety-errno.patch: 1de4023eaef09c4f66ee8cda9af72299102a6a11
   manual-document-mt-safety-filesys.patch: fa001f73d60f803ba2877b9c8297e1b584e3b6ec
+  refresh-temp: cc424d6ed1b24e6a02244c623567f6471a362986
 Unapplied:
   manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..0a01119
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,784 @@
+Bottom: e7b3cec4e03306c8e81023c08b98e74a0faacbbe
+Top:    7fa654adb8d9082bddec3251021da106124844a9
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-16 05:01:58 -0300
+
+Refresh of manual-document-mt-safety-filesys.patch
+
+---
+
+diff --git a/manual/filesys.texi b/manual/filesys.texi
+index 814c210..c7eb13b 100644
+--- a/manual/filesys.texi
++++ b/manual/filesys.texi
+@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c If buffer is NULL, this function calls malloc and realloc, and, in
++@c case of error, free.  Linux offers a getcwd syscall that we use on
++@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
++@c fallback, and on other systems, the generic implementation opens each
++@c parent directory with opendir, which allocates memory for the
++@c directory stream with malloc.  If a fstatat64 syscall is not
++@c available, very deep directory trees may also have to malloc to build
++@c longer sequences of ../../../... than those supported by a global
++@c const read-only string.
++
++@c linux/__getcwd
++@c  posix/__getcwd
++@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
++@c   lstat64 -> see its own entry
++@c   fstatat64
++@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
++@c   openat64_not_cancel_3, close_not_cancel_no_status
++@c   __fdopendir, __opendir, __readdir, rewinddir
+ The @code{getcwd} function returns an absolute file name representing
+ the current working directory, storing it in the character array
+ @var{buffer} that you provide.  The @var{size} argument is how you tell
+@@ -116,6 +135,9 @@ software.
+ @comment unistd.h
+ @comment BSD
+ @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
++@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
++@c Besides the getcwd safety issues, it calls strerror_r on error, which
++@c brings in all of the i18n issues.
+ This is similar to @code{getcwd}, but has no way to specify the size of
+ the buffer.  @Theglibc{} provides @code{getwd} only
+ for backwards compatibility with BSD.
+@@ -130,6 +152,9 @@ this function is deprecated.
+ @comment unistd.h
+ @comment GNU
+ @deftypefun {char *} get_current_dir_name (void)
++@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Besides getcwd, which this function calls as a fallback, it calls
++@c getenv, with the usual thread-safety issues that brings about.
+ @vindex PWD
+ This @code{get_current_dir_name} function is basically equivalent to
+ @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
+@@ -145,6 +170,7 @@ This function is a GNU extension.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int chdir (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is used to set the process's working directory to
+ @var{filename}.
+ 
+@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
+ @comment unistd.h
+ @comment XPG
+ @deftypefun int fchdir (int @var{filedes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is used to set the process's working directory to
+ directory associated with the file descriptor @var{filedes}.
+ 
+@@ -294,12 +321,14 @@ values and @code{st_mode} values:
+ @comment dirent.h
+ @comment BSD
+ @deftypefun int IFTODT (mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This returns the @code{d_type} value corresponding to @var{mode}.
+ @end deftypefun
+ 
+ @comment dirent.h
+ @comment BSD
+ @deftypefun mode_t DTTOIF (int @var{dtype})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This returns the @code{st_mode} value corresponding to @var{dtype}.
+ @end deftypefun
+ @end table
+@@ -342,6 +371,9 @@ the following functions.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun {DIR *} opendir (const char *@var{dirname})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Besides the safe syscall, we have to allocate the DIR object with
++@c __alloc_dir, that calls malloc.
+ The @code{opendir} function opens and returns a directory stream for
+ reading the directory whose file name is @var{dirname}.  The stream has
+ type @code{DIR *}.
+@@ -381,6 +413,8 @@ alternative interface can be used.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun {DIR *} fdopendir (int @var{fd})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c The DIR object is allocated with __alloc_dir, that calls malloc.
+ The @code{fdopendir} function works just like @code{opendir} but
+ instead of taking a file name and opening a file descriptor for the
+ directory the caller is required to provide a file descriptor.  This
+@@ -425,6 +459,7 @@ access.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int dirfd (DIR *@var{dirstream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The function @code{dirfd} returns the file descriptor associated with
+ the directory stream @var{dirstream}.  This descriptor can be used until
+ the directory is closed with @code{closedir}.  If the directory stream
+@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
++@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
++@c This function holds dirstream's non-recursive lock, which brings
++@c about the usual issues with locks and async signals and cancellation,
++@c but the lock taking is not enough to make the returned value safe to
++@c use, since it points to a stream's internal buffer that can be
++@c overwritten by subsequent calls or even released by closedir.
+ This function reads the next entry from the directory.  It normally
+ returns a pointer to a structure containing information about the
+ file.  This structure is associated with the @var{dirstream} handle
+@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ This function is a version of @code{readdir} which performs internal
+ locking.  Like @code{readdir} it returns the next entry from the
+ directory.  To prevent conflicts between simultaneously running
+@@ -549,6 +591,7 @@ of the last two functions.
+ @comment dirent.h
+ @comment LFS
+ @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
++@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{readdir64} function is just like the @code{readdir} function
+ except that it returns a pointer to a record of type @code{struct
+ dirent64}.  Some of the members of this data type (notably @code{d_ino})
+@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
+ @comment dirent.h
+ @comment LFS
+ @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{readdir64_r} function is equivalent to the @code{readdir_r}
+ function except that it takes parameters of base type @code{struct
+ dirent64} instead of @code{struct dirent} in the second and third
+@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun int closedir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
++@c No synchronization in the posix implementation, only in the hurd
++@c one.  This is regarded as safe because it is undefined behavior if
++@c other threads could still be using the dir stream while it's closed.
+ This function closes the directory stream @var{dirstream}.  It returns
+ @code{0} on success and @code{-1} on failure.
+ 
+@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun void rewinddir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{rewinddir} function is used to reinitialize the directory
+ stream @var{dirstream}, so that if you call @code{readdir} it
+ returns information about the first entry in the directory again.  This
+@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
+ @comment dirent.h
+ @comment BSD
+ @deftypefun {long int} telldir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
++@c The implementation is safe on most platforms, but on BSD it uses
++@c cookies, buckets and records, and the global array of pointers to
++@c dynamically allocated records is guarded by a non-recursive lock.
+ The @code{telldir} function returns the file position of the directory
+ stream @var{dirstream}.  You can use this value with @code{seekdir} to
+ restore the directory stream to that position.
+@@ -630,6 +683,10 @@ restore the directory stream to that position.
+ @comment dirent.h
+ @comment BSD
+ @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
++@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
++@c The implementation is safe on most platforms, but on BSD it uses
++@c cookies, buckets and records, and the global array of pointers to
++@c dynamically allocated records is guarded by a non-recursive lock.
+ The @code{seekdir} function sets the file position of the directory
+ stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
+ result of a previous call to @code{telldir} on this particular stream;
+@@ -649,6 +706,19 @@ the result.
+ @comment dirent.h
+ @comment BSD/SVID
+ @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
++@c The scandir function calls __opendirat, __readdir, and __closedir to
++@c go over the named dir; malloc and realloc to allocate the namelist
++@c and copies of each selected dirent, besides the selector, if given,
++@c and qsort and the cmp functions if the latter is given.  In spite of
++@c the cleanup handler that releases memory and the file descriptor in
++@c case of synchronous cancellation, an asynchronous cancellation may
++@c still leak memory and a file descriptor.  Although readdir is unsafe
++@c in general, the use of an internal dir stream for sequential scanning
++@c of the directory with copying of dirents before subsequent calls
++@c makes the use safe, and the fact that the dir stream is private to
++@c each scandir call does away with the lock issues in readdir and
++@c closedir.
+ 
+ The @code{scandir} function scans the contents of the directory selected
+ by @var{dir}.  The result in *@var{namelist} is an array of pointers to
+@@ -679,6 +749,8 @@ are very helpful for this purpose.
+ @comment dirent.h
+ @comment BSD/SVID
+ @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c Calls strcoll.
+ The @code{alphasort} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+ are not string pointers but instead they are of type
+@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c Calls strverscmp.
+ The @code{versionsort} function is like @code{alphasort} except that it
+ uses the @code{strverscmp} function internally.
+ @end deftypefun
+@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
++@c See scandir.
+ The @code{scandir64} function works like the @code{scandir} function
+ except that the directory entries it returns are described by elements
+ of type @w{@code{struct dirent64}}.  The function pointed to by
+@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c See alphasort.
+ The @code{alphasort64} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+ are not string pointers but instead they are of type
+@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c See versionsort.
+ The @code{versionsort64} function is like @code{alphasort64}, excepted that it
+ uses the @code{strverscmp} function internally.
+ @end deftypefun
+@@ -913,6 +993,8 @@ file was passed).
+ @comment ftw.h
+ @comment SVID
+ @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
++@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
++@c see nftw for safety details
+ The @code{ftw} function calls the callback function given in the
+ parameter @var{func} for every item which is found in the directory
+ specified by @var{filename} and all directories below.  The function
+@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
+ @comment ftw.h
+ @comment Unix98
+ @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
++@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+ This function is similar to @code{ftw} but it can work on filesystems
+ with large files.  File information is reported using a variable of type
+ @code{struct stat64} which is passed by reference to the callback
+@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
+ @comment ftw.h
+ @comment XPG4.2
+ @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
++@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
++@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
++@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
++@c  if FTW_CHDIR, also calls fchdir
++@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
++@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
++@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
++@c  find_object (tsearch) and add_object (tfind).
++@c Since each invocation of *ftw uses its own private search tree, none
++@c  of the search tree concurrency issues apply.
+ The @code{nftw} function works like the @code{ftw} functions.  They call
+ the callback function @var{func} for all items found in the directory
+ @var{filename} and below.  At most @var{descriptors} file descriptors
+@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
+ @comment ftw.h
+ @comment Unix98
+ @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
++@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+ This function is similar to @code{nftw} but it can work on filesystems
+ with large files.  File information is reported using a variable of type
+ @code{struct stat64} which is passed by reference to the callback
+@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{link} function makes a new link to the existing file named by
+ @var{oldname}, under the new name @var{newname}.
+ 
+@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{symlink} function makes a symbolic link to @var{oldname} named
+ @var{newname}.
+ 
+@@ -1223,6 +1320,7 @@ exceeded.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{readlink} function gets the value of the symbolic link
+ @var{filename}.  The file name that the link points to is copied into
+ @var{buffer}.  This file name string is @emph{not} null-terminated;
+@@ -1282,6 +1380,8 @@ names can refer to the same inode.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun {char *} canonicalize_file_name (const char *@var{name})
++@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Calls realpath.
+ 
+ The @code{canonicalize_file_name} function returns the absolute name of
+ the file named by @var{name} which contains no @code{.}, @code{..}
+@@ -1323,6 +1423,8 @@ where the result is placed in.
+ @comment stdlib.h
+ @comment XPG
+ @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
++@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
+ 
+ A call to @code{realpath} where the @var{resolved} parameter is
+ @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
+@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int unlink (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{unlink} function deletes the file name @var{filename}.  If
+ this is a file's sole name, the file itself is also deleted.  (Actually,
+ if any process has the file open when this happens, deletion is
+@@ -1404,6 +1507,7 @@ file system and can't be modified.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int rmdir (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @cindex directories, deleting
+ @cindex deleting a directory
+ The @code{rmdir} function deletes a directory.  The directory must be
+@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int remove (const char *@var{filename})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Calls unlink and rmdir.
+ This is the @w{ISO C} function to remove a file.  It works like
+ @code{unlink} for files and like @code{rmdir} for directories.
+ @code{remove} is declared in @file{stdio.h}.
+@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a rename syscall, there's an emulation with link
++@c and unlink, but it's racy, even more so if newname exists and is
++@c unlinked first.
+ The @code{rename} function renames the file @var{oldname} to
+ @var{newname}.  The file formerly accessible under the name
+ @var{oldname} is afterwards accessible as @var{newname} instead.  (If
+@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{mkdir} function creates a new, empty directory with name
+ @var{filename}.
+ 
+@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{stat} function returns information about the attributes of the
+ file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
+ 
+@@ -1908,6 +2020,7 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{stat} but it is also able to work on
+ files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ this the result is stored in a variable of type @code{struct stat64} to
+@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fstat} function is like @code{stat}, except that it takes an
+ open file descriptor as an argument instead of a file name.
+ @xref{Low-Level I/O}.
+@@ -1942,6 +2056,7 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{fstat} but is able to work on large
+ files on 32-bit platforms.  For large files the file descriptor
+ @var{filedes} should be obtained by @code{open64} or @code{creat64}.
+@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
+ replaces the interface for small files on 32-bit machines.
+ @end deftypefun
+ 
++@c fstatat will call alloca and snprintf if the syscall is not
++@c available.
++@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct system call through lxstat, sometimes with an xstat conv call
++@c afterwards.
+ The @code{lstat} function is like @code{stat}, except that it does not
+ follow symbolic links.  If @var{filename} is the name of a symbolic
+ link, @code{lstat} returns information about the link itself; otherwise
+@@ -1969,6 +2091,9 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct system call through lxstat64, sometimes with an xstat conv
++@c call afterwards.
+ This function is similar to @code{lstat} but it is also able to work on
+ files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ this the result is stored in a variable of type @code{struct stat64} to
+@@ -2007,12 +2132,14 @@ that file:
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISDIR (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a directory.
+ @end deftypefn
+ 
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISCHR (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a character special file (a
+ device like a terminal).
+ @end deftypefn
+@@ -2020,6 +2147,7 @@ device like a terminal).
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISBLK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a block special file (a device
+ like a disk).
+ @end deftypefn
+@@ -2027,12 +2155,14 @@ like a disk).
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISREG (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a regular file.
+ @end deftypefn
+ 
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISFIFO (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a FIFO special file, or a
+ pipe.  @xref{Pipes and FIFOs}.
+ @end deftypefn
+@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefn Macro int S_ISLNK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a symbolic link.
+ @xref{Symbolic Links}.
+ @end deftypefn
+@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefn Macro int S_ISSOCK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a socket.  @xref{Sockets}.
+ @end deftypefn
+ 
+@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX message queues as distinct objects and the
+ file is a message queue object, this macro returns a non-zero value.
+ In all other cases the result is zero.
+@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX semaphores as distinct objects and the
+ file is a semaphore object, this macro returns a non-zero value.
+ In all other cases the result is zero.
+@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX shared memory objects as distinct objects
+ and the file is an shared memory object, this macro returns a non-zero
+ value.  In all other cases the result is zero.
+@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{chown} function changes the owner of the file @var{filename} to
+ @var{owner}, and its group owner to @var{group}.
+ 
+@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is like @code{chown}, except that it changes the owner of the open
+ file with descriptor @var{filedes}.
+ 
+@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun mode_t umask (mode_t @var{mask})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{umask} function sets the file creation mask of the current
+ process to @var{mask}, and returns the previous value of the file
+ creation mask.
+@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefun mode_t getumask (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Return the current value of the file creation mask for the current
+ process.  This function is a GNU extension and is only available on
+ @gnuhurdsystems{}.
+@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{chmod} function sets the access permission bits for the file
+ named by @var{filename} to @var{mode}.
+ 
+@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is like @code{chmod}, except that it changes the permissions of the
+ currently open file given by @var{filedes}.
+ 
+@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int access (const char *@var{filename}, int @var{how})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{access} function checks to see whether the file named by
+ @var{filename} can be accessed in the way specified by the @var{how}
+ argument.  The @var{how} argument either can be the bitwise OR of the
+@@ -2765,6 +2907,9 @@ This is the modification time for the file.
+ @comment utime.h
+ @comment POSIX.1
+ @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a utime syscall, it non-atomically converts times
++@c to a struct timeval and calls utimes.
+ This function is used to modify the file times associated with the file
+ named @var{filename}.
+ 
+@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a utimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall, or to
++@c struct utimbuf and calls utime.
+ This function sets the file access and modification times of the file
+ @var{filename}.  The new file access time is specified by
+ @code{@var{tvp}[0]}, and the new modification time by
+@@ -2830,6 +2979,9 @@ function.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Since there's no lutimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall.
+ This function is like @code{utimes}, except that it does not follow
+ symbolic links.  If @var{filename} is the name of a symbolic link,
+ @code{lutimes} sets the file access and modification times of the
+@@ -2846,6 +2998,10 @@ function.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Since there's no futimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall, falling back
++@c to utimes on a /proc/self/fd symlink.
+ This function is like @code{utimes}, except that it takes an open file
+ descriptor as an argument instead of a file name.  @xref{Low-Level
+ I/O}.  This function comes from FreeBSD, and is not available on all
+@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
+ @comment unistd.h
+ @comment X/Open
+ @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a truncate syscall, we use open and ftruncate.
+ 
+ The @code{truncate} function changes the size of @var{filename} to
+ @var{length}.  If @var{length} is shorter than the previous length, data
+@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a syscall, try truncate if length fits.
+ This function is similar to the @code{truncate} function.  The
+ difference is that the @var{length} argument is 64 bits wide even on 32
+ bits machines, which allows the handling of files with sizes up to
+@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
+ @comment unistd.h
+ @comment POSIX
+ @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ This is like @code{truncate}, but it works on a file descriptor @var{fd}
+ for an opened file instead of a file name to identify the object.  The
+@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a syscall, try ftruncate if length fits.
+ This function is similar to the @code{ftruncate} function.  The
+ difference is that the @var{length} argument is 64 bits wide even on 32
+ bits machines which allows the handling of files with sizes up to
+@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Instead of issuing the syscall directly, we go through xmknod.
++@c Although the internal xmknod takes a dev_t*, that could lead to
++@c xguargs races, it's passed a pointer to mknod's dev.
+ The @code{mknod} function makes a special file with name @var{filename}.
+ The @var{mode} specifies the mode of the file, and may include the various
+ special file bits, such as @code{S_IFCHR} (for a character special file)
+@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {FILE *} tmpfile (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
++@c The unsafety issues are those of fdopen, plus fdleak because of the
++@c open.
++@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
++@c  libc_secure_genenv only if try_tmpdir
++@c  xstat64, strlen, strcmp, sprintf
++@c __gen_tempname (internal tmpl, __GT_FILE) ok
++@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
++@c  HP_TIMING_NOW if available ok
++@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
++@c  static value is used and modified without synchronization ok
++@c   but the use is as a source of non-cryptographic randomness
++@c   with retries in case of collision, so it should be safe
++@c unlink, fdopen
+ This function creates a temporary binary file for update mode, as if by
+ calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
+ automatically when it is closed or when the program terminates.  (On
+@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun {FILE *} tmpfile64 (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+ This function is similar to @code{tmpfile}, but the stream it returns a
+ pointer to was opened using @code{tmpfile64}.  Therefore this stream can
+ be used for files larger then @math{2^31} bytes on 32-bit machines.
+@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {char *} tmpnam (char *@var{result})
++@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
++@c The passed-in buffer should not be modified concurrently with the
++@c call.
++@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
++@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+ This function constructs and returns a valid file name that does not
+ refer to any existing file.  If the @var{result} argument is a null
+ pointer, the return value is a pointer to an internal static string,
+@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {char *} tmpnam_r (char *@var{result})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+ This function is nearly identical to the @code{tmpnam} function, except
+ that if @var{result} is a null pointer it returns a null pointer.
+ 
+@@ -3225,6 +3413,13 @@ never less than @code{25}.
+ @comment stdio.h
+ @comment SVID
+ @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
++@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
++@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
++@c even with a non-NULL dir, which makes this thread-unsafe.
++@c
++@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
++@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
++@c strdup
+ This function generates a unique temporary file name.  If @var{prefix}
+ is not a null pointer, up to five characters of this string are used as
+ a prefix for the file name.  The return value is a string newly
+@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
+ @comment stdlib.h
+ @comment Unix
+ @deftypefun {char *} mktemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
++@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
+ The @code{mktemp} function generates a unique file name by modifying
+ @var{template} as described above.  If successful, it returns
+ @var{template} as modified.  If @code{mktemp} cannot find a unique file
+@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun int mkstemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
++@c __gen_tempname (caller tmpl, __GT_FILE) ok
+ The @code{mkstemp} function generates a unique file name just as
+ @code{mktemp} does, but it also opens the file for you with @code{open}
+ (@pxref{Opening and Closing Files}).  If successful, it modifies
+@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun {char *} mkdtemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
++@c __gen_tempname (caller tmpl, __GT_DIR) ok
+ The @code{mkdtemp} function creates a directory with a unique name.  If
+ it succeeds, it overwrites @var{template} with the name of the
+ directory, and returns @var{template}.  As with @code{mktemp} and
+@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
+ @xref{Creating Directories}.
+ 
+ The @code{mkdtemp} function comes from OpenBSD.
++
++@c FIXME these are undocumented:
++@c faccessat
++@c fchmodat
++@c fchownat
++@c futimesat
++@c fstatat (there's a commented-out safety assessment for this one)
++@c linkat
++@c mkdirat
++@c mkfifoat
++@c name_to_handle_at
++@c openat
++@c open_by_handle_at
++@c readlinkat
++@c renameat
++@c scandirat
++@c symlinkat
++@c unlinkat
++@c utimensat
++@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cc424d6ed1b24e6a02244c623567f6471a362986

commit cc424d6ed1b24e6a02244c623567f6471a362986
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 05:01:58 2013 -0300

    Refresh of manual-document-mt-safety-filesys.patch

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 814c210..c7eb13b 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the
 file.  This structure is associated with the @var{dirstream} handle
@@ -478,6 +519,7 @@ locking if multiple threads access the same @var{dirstream}.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is a version of @code{readdir} which performs internal
 locking.  Like @code{readdir} it returns the next entry from the
 directory.  To prevent conflicts between simultaneously running
@@ -549,6 +591,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -560,6 +603,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -570,6 +614,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -609,6 +657,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -622,6 +671,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -630,6 +683,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -649,6 +706,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -679,6 +749,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -691,6 +763,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -703,6 +777,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -721,6 +797,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -733,6 +811,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -913,6 +993,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -963,6 +1045,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -976,6 +1059,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1036,6 +1130,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1079,6 +1174,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1186,6 +1282,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1223,6 +1320,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1282,6 +1380,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1323,6 +1423,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1362,6 +1464,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1404,6 +1507,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1431,6 +1535,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1446,6 +1552,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1541,6 +1651,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1882,6 +1993,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1908,6 +2020,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1921,6 +2034,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1942,6 +2056,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1953,9 +2068,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1969,6 +2091,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -2007,12 +2132,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -2020,6 +2147,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -2027,12 +2155,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2040,6 +2170,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2047,6 +2178,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2129,6 +2261,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2137,6 +2270,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2145,6 +2279,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2189,6 +2324,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2223,6 +2359,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2502,6 +2639,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2527,6 +2665,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2535,6 +2674,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2575,6 +2715,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2645,6 +2786,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2765,6 +2907,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2816,6 +2961,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2830,6 +2979,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2846,6 +2998,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2900,6 +3056,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2944,6 +3102,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2957,6 +3117,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -3021,6 +3182,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3083,6 +3246,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3134,6 +3301,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3150,6 +3331,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3165,6 +3347,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3189,6 +3376,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3225,6 +3413,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3288,6 +3483,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3306,6 +3503,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3328,6 +3527,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3349,3 +3550,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat (there's a commented-out safety assessment for this one)
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=828a9e296e22f33484c009b88eaf45b523b64d83

commit 828a9e296e22f33484c009b88eaf45b523b64d83
Merge: d132003 fa001f7 bcb5ff7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:52:56 2013 -0300

    pull (CONFLICT)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d1320034d55f8d03582f23ce5338b8ef693a7607

commit d1320034d55f8d03582f23ce5338b8ef693a7607
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:52:56 2013 -0300

    pull (CONFLICT)

diff --git a/meta b/meta
index 2fa5052..b006b37 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: cf9af743e59dfbf5fda5a2a47c3e79180f45abdb
-Head: 1de4023eaef09c4f66ee8cda9af72299102a6a11
+Previous: bcb5ff7712c3f8a6dc163c0612292f179920c79c
+Head: fa001f73d60f803ba2877b9c8297e1b584e3b6ec
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 696f6dab87abef96e7993fda3f143bbdeb1f34e8
   unused-scalb-is-scalbn.patch: 8e4917e9cf19e11865e8257a23808022f8661b79
@@ -14,8 +14,8 @@ Applied:
   manual-document-mt-safety-ctype.patch: f9c7c5a3a45afe0537eac97659a8035fcd353755
   manual-document-mt-safety-debug.patch: 93d4600a981245726112f8653ae093789c5781bc
   manual-document-mt-safety-errno.patch: 1de4023eaef09c4f66ee8cda9af72299102a6a11
+  manual-document-mt-safety-filesys.patch: fa001f73d60f803ba2877b9c8297e1b584e3b6ec
 Unapplied:
-  manual-document-mt-safety-filesys.patch: 48a6b75fc25dc87bedc75d3fdfc131da890b7f4b
   manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
   manual-document-mt-safety-job.patch: 1da38dc05daeed4e2d77f2923bb588bf259a7549
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index f1fe08e..7dc7236 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,7 +1,7 @@
-Bottom: 1ff2a8e59e8b9699588c78ee345f4d6ed95eb078
-Top:    cdc226230e45430773c967a5b19e606c9ac5c26c
+Bottom: e7b3cec4e03306c8e81023c08b98e74a0faacbbe
+Top:    e7b3cec4e03306c8e81023c08b98e74a0faacbbe
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:06:03 -0300
+Date:   2013-08-16 04:52:55 -0300
 
 Thread safety documentation.
 
@@ -12,778 +12,4 @@ for ChangeLog
 
 ---
 
-diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 1df9cf2..b5b6630 100644
---- a/manual/filesys.texi
-+++ b/manual/filesys.texi
-@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
- @comment unistd.h
- @comment POSIX.1
- @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c If buffer is NULL, this function calls malloc and realloc, and, in
-+@c case of error, free.  Linux offers a getcwd syscall that we use on
-+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
-+@c fallback, and on other systems, the generic implementation opens each
-+@c parent directory with opendir, which allocates memory for the
-+@c directory stream with malloc.  If a fstatat64 syscall is not
-+@c available, very deep directory trees may also have to malloc to build
-+@c longer sequences of ../../../... than those supported by a global
-+@c const read-only string.
-+
-+@c linux/__getcwd
-+@c  posix/__getcwd
-+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
-+@c   lstat64 -> see its own entry
-+@c   fstatat64
-+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
-+@c   openat64_not_cancel_3, close_not_cancel_no_status
-+@c   __fdopendir, __opendir, __readdir, rewinddir
- The @code{getcwd} function returns an absolute file name representing
- the current working directory, storing it in the character array
- @var{buffer} that you provide.  The @var{size} argument is how you tell
-@@ -116,6 +135,9 @@ software.
- @comment unistd.h
- @comment BSD
- @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
-+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
-+@c Besides the getcwd safety issues, it calls strerror_r on error, which
-+@c brings in all of the i18n issues.
- This is similar to @code{getcwd}, but has no way to specify the size of
- the buffer.  @Theglibc{} provides @code{getwd} only
- for backwards compatibility with BSD.
-@@ -130,6 +152,9 @@ this function is deprecated.
- @comment unistd.h
- @comment GNU
- @deftypefun {char *} get_current_dir_name (void)
-+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Besides getcwd, which this function calls as a fallback, it calls
-+@c getenv, with the usual thread-safety issues that brings about.
- @vindex PWD
- This @code{get_current_dir_name} function is basically equivalent to
- @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
-@@ -145,6 +170,7 @@ This function is a GNU extension.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int chdir (const char *@var{filename})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is used to set the process's working directory to
- @var{filename}.
- 
-@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
- @comment unistd.h
- @comment XPG
- @deftypefun int fchdir (int @var{filedes})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is used to set the process's working directory to
- directory associated with the file descriptor @var{filedes}.
- 
-@@ -294,12 +321,14 @@ values and @code{st_mode} values:
- @comment dirent.h
- @comment BSD
- @deftypefun int IFTODT (mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This returns the @code{d_type} value corresponding to @var{mode}.
- @end deftypefun
- 
- @comment dirent.h
- @comment BSD
- @deftypefun mode_t DTTOIF (int @var{dtype})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This returns the @code{st_mode} value corresponding to @var{dtype}.
- @end deftypefun
- @end table
-@@ -342,6 +371,9 @@ the following functions.
- @comment dirent.h
- @comment POSIX.1
- @deftypefun {DIR *} opendir (const char *@var{dirname})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Besides the safe syscall, we have to allocate the DIR object with
-+@c __alloc_dir, that calls malloc.
- The @code{opendir} function opens and returns a directory stream for
- reading the directory whose file name is @var{dirname}.  The stream has
- type @code{DIR *}.
-@@ -381,6 +413,8 @@ alternative interface can be used.
- @comment dirent.h
- @comment GNU
- @deftypefun {DIR *} fdopendir (int @var{fd})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c The DIR object is allocated with __alloc_dir, that calls malloc.
- The @code{fdopendir} function works just like @code{opendir} but
- instead of taking a file name and opening a file descriptor for the
- directory the caller is required to provide a file descriptor.  This
-@@ -425,6 +459,7 @@ access.
- @comment dirent.h
- @comment GNU
- @deftypefun int dirfd (DIR *@var{dirstream})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The function @code{dirfd} returns the file descriptor associated with
- the directory stream @var{dirstream}.  This descriptor can be used until
- the directory is closed with @code{closedir}.  If the directory stream
-@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
- @comment dirent.h
- @comment POSIX.1
- @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
-+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
-+@c This function holds dirstream's non-recursive lock, which brings
-+@c about the usual issues with locks and async signals and cancellation,
-+@c but the lock taking is not enough to make the returned value safe to
-+@c use, since it points to a stream's internal buffer that can be
-+@c overwritten by subsequent calls or even released by closedir.
- This function reads the next entry from the directory.  It normally
- returns a pointer to a structure containing information about the file.
- This structure is statically allocated and can be rewritten by a
-@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
- @comment dirent.h
- @comment GNU
- @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- This function is the reentrant version of @code{readdir}.  Like
- @code{readdir} it returns the next entry from the directory.  But to
- prevent conflicts between simultaneously running threads the result is
-@@ -516,6 +558,7 @@ of the last two functions.
- @comment dirent.h
- @comment LFS
- @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
-+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- The @code{readdir64} function is just like the @code{readdir} function
- except that it returns a pointer to a record of type @code{struct
- dirent64}.  Some of the members of this data type (notably @code{d_ino})
-@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
- @comment dirent.h
- @comment LFS
- @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- The @code{readdir64_r} function is equivalent to the @code{readdir_r}
- function except that it takes parameters of base type @code{struct
- dirent64} instead of @code{struct dirent} in the second and third
-@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
- @comment dirent.h
- @comment POSIX.1
- @deftypefun int closedir (DIR *@var{dirstream})
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
-+@c No synchronization in the posix implementation, only in the hurd
-+@c one.  This is regarded as safe because it is undefined behavior if
-+@c other threads could still be using the dir stream while it's closed.
- This function closes the directory stream @var{dirstream}.  It returns
- @code{0} on success and @code{-1} on failure.
- 
-@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
- @comment dirent.h
- @comment POSIX.1
- @deftypefun void rewinddir (DIR *@var{dirstream})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- The @code{rewinddir} function is used to reinitialize the directory
- stream @var{dirstream}, so that if you call @code{readdir} it
- returns information about the first entry in the directory again.  This
-@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
- @comment dirent.h
- @comment BSD
- @deftypefun {long int} telldir (DIR *@var{dirstream})
-+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
-+@c The implementation is safe on most platforms, but on BSD it uses
-+@c cookies, buckets and records, and the global array of pointers to
-+@c dynamically allocated records is guarded by a non-recursive lock.
- The @code{telldir} function returns the file position of the directory
- stream @var{dirstream}.  You can use this value with @code{seekdir} to
- restore the directory stream to that position.
-@@ -597,6 +650,10 @@ restore the directory stream to that position.
- @comment dirent.h
- @comment BSD
- @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
-+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
-+@c The implementation is safe on most platforms, but on BSD it uses
-+@c cookies, buckets and records, and the global array of pointers to
-+@c dynamically allocated records is guarded by a non-recursive lock.
- The @code{seekdir} function sets the file position of the directory
- stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
- result of a previous call to @code{telldir} on this particular stream;
-@@ -616,6 +673,19 @@ the result.
- @comment dirent.h
- @comment BSD/SVID
- @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
-+@c The scandir function calls __opendirat, __readdir, and __closedir to
-+@c go over the named dir; malloc and realloc to allocate the namelist
-+@c and copies of each selected dirent, besides the selector, if given,
-+@c and qsort and the cmp functions if the latter is given.  In spite of
-+@c the cleanup handler that releases memory and the file descriptor in
-+@c case of synchronous cancellation, an asynchronous cancellation may
-+@c still leak memory and a file descriptor.  Although readdir is unsafe
-+@c in general, the use of an internal dir stream for sequential scanning
-+@c of the directory with copying of dirents before subsequent calls
-+@c makes the use safe, and the fact that the dir stream is private to
-+@c each scandir call does away with the lock issues in readdir and
-+@c closedir.
- 
- The @code{scandir} function scans the contents of the directory selected
- by @var{dir}.  The result in *@var{namelist} is an array of pointers to
-@@ -646,6 +716,8 @@ are very helpful for this purpose.
- @comment dirent.h
- @comment BSD/SVID
- @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@c Calls strcoll.
- The @code{alphasort} function behaves like the @code{strcoll} function
- (@pxref{String/Array Comparison}).  The difference is that the arguments
- are not string pointers but instead they are of type
-@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
- @comment dirent.h
- @comment GNU
- @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-+@c Calls strverscmp.
- The @code{versionsort} function is like @code{alphasort} except that it
- uses the @code{strverscmp} function internally.
- @end deftypefun
-@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
- @comment dirent.h
- @comment GNU
- @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
-+@c See scandir.
- The @code{scandir64} function works like the @code{scandir} function
- except that the directory entries it returns are described by elements
- of type @w{@code{struct dirent64}}.  The function pointed to by
-@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
- @comment dirent.h
- @comment GNU
- @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@c See alphasort.
- The @code{alphasort64} function behaves like the @code{strcoll} function
- (@pxref{String/Array Comparison}).  The difference is that the arguments
- are not string pointers but instead they are of type
-@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
- @comment dirent.h
- @comment GNU
- @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-+@c See versionsort.
- The @code{versionsort64} function is like @code{alphasort64}, excepted that it
- uses the @code{strverscmp} function internally.
- @end deftypefun
-@@ -880,6 +960,8 @@ file was passed).
- @comment ftw.h
- @comment SVID
- @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
-+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
-+@c see nftw for safety details
- The @code{ftw} function calls the callback function given in the
- parameter @var{func} for every item which is found in the directory
- specified by @var{filename} and all directories below.  The function
-@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
- @comment ftw.h
- @comment Unix98
- @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
-+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
- This function is similar to @code{ftw} but it can work on filesystems
- with large files.  File information is reported using a variable of type
- @code{struct stat64} which is passed by reference to the callback
-@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
- @comment ftw.h
- @comment XPG4.2
- @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
-+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
-+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
-+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
-+@c  if FTW_CHDIR, also calls fchdir
-+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
-+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
-+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
-+@c  find_object (tsearch) and add_object (tfind).
-+@c Since each invocation of *ftw uses its own private search tree, none
-+@c  of the search tree concurrency issues apply.
- The @code{nftw} function works like the @code{ftw} functions.  They call
- the callback function @var{func} for all items found in the directory
- @var{filename} and below.  At most @var{descriptors} file descriptors
-@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
- @comment ftw.h
- @comment Unix98
- @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
-+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
- This function is similar to @code{nftw} but it can work on filesystems
- with large files.  File information is reported using a variable of type
- @code{struct stat64} which is passed by reference to the callback
-@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{link} function makes a new link to the existing file named by
- @var{oldname}, under the new name @var{newname}.
- 
-@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
- @comment unistd.h
- @comment BSD
- @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{symlink} function makes a symbolic link to @var{oldname} named
- @var{newname}.
- 
-@@ -1190,6 +1287,7 @@ exceeded.
- @comment unistd.h
- @comment BSD
- @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{readlink} function gets the value of the symbolic link
- @var{filename}.  The file name that the link points to is copied into
- @var{buffer}.  This file name string is @emph{not} null-terminated;
-@@ -1249,6 +1347,8 @@ names can refer to the same inode.
- @comment stdlib.h
- @comment GNU
- @deftypefun {char *} canonicalize_file_name (const char *@var{name})
-+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Calls realpath.
- 
- The @code{canonicalize_file_name} function returns the absolute name of
- the file named by @var{name} which contains no @code{.}, @code{..}
-@@ -1290,6 +1390,8 @@ where the result is placed in.
- @comment stdlib.h
- @comment XPG
- @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
-+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
- 
- A call to @code{realpath} where the @var{resolved} parameter is
- @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
-@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int unlink (const char *@var{filename})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{unlink} function deletes the file name @var{filename}.  If
- this is a file's sole name, the file itself is also deleted.  (Actually,
- if any process has the file open when this happens, deletion is
-@@ -1371,6 +1474,7 @@ file system and can't be modified.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int rmdir (const char *@var{filename})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- @cindex directories, deleting
- @cindex deleting a directory
- The @code{rmdir} function deletes a directory.  The directory must be
-@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
- @comment stdio.h
- @comment ISO
- @deftypefun int remove (const char *@var{filename})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Calls unlink and rmdir.
- This is the @w{ISO C} function to remove a file.  It works like
- @code{unlink} for files and like @code{rmdir} for directories.
- @code{remove} is declared in @file{stdio.h}.
-@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
- @comment stdio.h
- @comment ISO
- @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c In the absence of a rename syscall, there's an emulation with link
-+@c and unlink, but it's racy, even more so if newname exists and is
-+@c unlinked first.
- The @code{rename} function renames the file @var{oldname} to
- @var{newname}.  The file formerly accessible under the name
- @var{oldname} is afterwards accessible as @var{newname} instead.  (If
-@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{mkdir} function creates a new, empty directory with name
- @var{filename}.
- 
-@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{stat} function returns information about the attributes of the
- file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
- 
-@@ -1875,6 +1987,7 @@ replaces the normal implementation.
- @comment sys/stat.h
- @comment Unix98
- @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is similar to @code{stat} but it is also able to work on
- files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
- this the result is stored in a variable of type @code{struct stat64} to
-@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{fstat} function is like @code{stat}, except that it takes an
- open file descriptor as an argument instead of a file name.
- @xref{Low-Level I/O}.
-@@ -1909,6 +2023,7 @@ replaces the normal implementation.
- @comment sys/stat.h
- @comment Unix98
- @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is similar to @code{fstat} but is able to work on large
- files on 32-bit platforms.  For large files the file descriptor
- @var{filedes} should be obtained by @code{open64} or @code{creat64}.
-@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
- replaces the interface for small files on 32-bit machines.
- @end deftypefun
- 
-+@c fstatat will call alloca and snprintf if the syscall is not
-+@c available.
-+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
-+
- @comment sys/stat.h
- @comment BSD
- @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Direct system call through lxstat, sometimes with an xstat conv call
-+@c afterwards.
- The @code{lstat} function is like @code{stat}, except that it does not
- follow symbolic links.  If @var{filename} is the name of a symbolic
- link, @code{lstat} returns information about the link itself; otherwise
-@@ -1936,6 +2058,9 @@ replaces the normal implementation.
- @comment sys/stat.h
- @comment Unix98
- @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Direct system call through lxstat64, sometimes with an xstat conv
-+@c call afterwards.
- This function is similar to @code{lstat} but it is also able to work on
- files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
- this the result is stored in a variable of type @code{struct stat64} to
-@@ -1974,12 +2099,14 @@ that file:
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISDIR (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a directory.
- @end deftypefn
- 
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISCHR (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a character special file (a
- device like a terminal).
- @end deftypefn
-@@ -1987,6 +2114,7 @@ device like a terminal).
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISBLK (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a block special file (a device
- like a disk).
- @end deftypefn
-@@ -1994,12 +2122,14 @@ like a disk).
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISREG (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a regular file.
- @end deftypefn
- 
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISFIFO (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a FIFO special file, or a
- pipe.  @xref{Pipes and FIFOs}.
- @end deftypefn
-@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
- @comment sys/stat.h
- @comment GNU
- @deftypefn Macro int S_ISLNK (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a symbolic link.
- @xref{Symbolic Links}.
- @end deftypefn
-@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
- @comment sys/stat.h
- @comment GNU
- @deftypefn Macro int S_ISSOCK (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a socket.  @xref{Sockets}.
- @end deftypefn
- 
-@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If the system implement POSIX message queues as distinct objects and the
- file is a message queue object, this macro returns a non-zero value.
- In all other cases the result is zero.
-@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If the system implement POSIX semaphores as distinct objects and the
- file is a semaphore object, this macro returns a non-zero value.
- In all other cases the result is zero.
-@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If the system implement POSIX shared memory objects as distinct objects
- and the file is an shared memory object, this macro returns a non-zero
- value.  In all other cases the result is zero.
-@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{chown} function changes the owner of the file @var{filename} to
- @var{owner}, and its group owner to @var{group}.
- 
-@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
- @comment unistd.h
- @comment BSD
- @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is like @code{chown}, except that it changes the owner of the open
- file with descriptor @var{filedes}.
- 
-@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun mode_t umask (mode_t @var{mask})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{umask} function sets the file creation mask of the current
- process to @var{mask}, and returns the previous value of the file
- creation mask.
-@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
- @comment sys/stat.h
- @comment GNU
- @deftypefun mode_t getumask (void)
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Return the current value of the file creation mask for the current
- process.  This function is a GNU extension and is only available on
- @gnuhurdsystems{}.
-@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{chmod} function sets the access permission bits for the file
- named by @var{filename} to @var{mode}.
- 
-@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
- @comment sys/stat.h
- @comment BSD
- @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is like @code{chmod}, except that it changes the permissions of the
- currently open file given by @var{filedes}.
- 
-@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int access (const char *@var{filename}, int @var{how})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{access} function checks to see whether the file named by
- @var{filename} can be accessed in the way specified by the @var{how}
- argument.  The @var{how} argument either can be the bitwise OR of the
-@@ -2732,6 +2874,9 @@ This is the modification time for the file.
- @comment utime.h
- @comment POSIX.1
- @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c In the absence of a utime syscall, it non-atomically converts times
-+@c to a struct timeval and calls utimes.
- This function is used to modify the file times associated with the file
- named @var{filename}.
- 
-@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
- @comment sys/time.h
- @comment BSD
- @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c In the absence of a utimes syscall, it non-atomically converts tvp
-+@c to struct timespec array and issues a utimensat syscall, or to
-+@c struct utimbuf and calls utime.
- This function sets the file access and modification times of the file
- @var{filename}.  The new file access time is specified by
- @code{@var{tvp}[0]}, and the new modification time by
-@@ -2797,6 +2946,9 @@ function.
- @comment sys/time.h
- @comment BSD
- @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Since there's no lutimes syscall, it non-atomically converts tvp
-+@c to struct timespec array and issues a utimensat syscall.
- This function is like @code{utimes}, except that it does not follow
- symbolic links.  If @var{filename} is the name of a symbolic link,
- @code{lutimes} sets the file access and modification times of the
-@@ -2813,6 +2965,10 @@ function.
- @comment sys/time.h
- @comment BSD
- @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Since there's no futimes syscall, it non-atomically converts tvp
-+@c to struct timespec array and issues a utimensat syscall, falling back
-+@c to utimes on a /proc/self/fd symlink.
- This function is like @code{utimes}, except that it takes an open file
- descriptor as an argument instead of a file name.  @xref{Low-Level
- I/O}.  This function comes from FreeBSD, and is not available on all
-@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
- @comment unistd.h
- @comment X/Open
- @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c In the absence of a truncate syscall, we use open and ftruncate.
- 
- The @code{truncate} function changes the size of @var{filename} to
- @var{length}.  If @var{length} is shorter than the previous length, data
-@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
- @comment unistd.h
- @comment Unix98
- @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c In the absence of a syscall, try truncate if length fits.
- This function is similar to the @code{truncate} function.  The
- difference is that the @var{length} argument is 64 bits wide even on 32
- bits machines, which allows the handling of files with sizes up to
-@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
- @comment unistd.h
- @comment POSIX
- @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- This is like @code{truncate}, but it works on a file descriptor @var{fd}
- for an opened file instead of a file name to identify the object.  The
-@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
- @comment unistd.h
- @comment Unix98
- @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c In the absence of a syscall, try ftruncate if length fits.
- This function is similar to the @code{ftruncate} function.  The
- difference is that the @var{length} argument is 64 bits wide even on 32
- bits machines which allows the handling of files with sizes up to
-@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
- @comment sys/stat.h
- @comment BSD
- @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Instead of issuing the syscall directly, we go through xmknod.
-+@c Although the internal xmknod takes a dev_t*, that could lead to
-+@c xguargs races, it's passed a pointer to mknod's dev.
- The @code{mknod} function makes a special file with name @var{filename}.
- The @var{mode} specifies the mode of the file, and may include the various
- special file bits, such as @code{S_IFCHR} (for a character special file)
-@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
- @comment stdio.h
- @comment ISO
- @deftypefun {FILE *} tmpfile (void)
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
-+@c The unsafety issues are those of fdopen, plus fdleak because of the
-+@c open.
-+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
-+@c  libc_secure_genenv only if try_tmpdir
-+@c  xstat64, strlen, strcmp, sprintf
-+@c __gen_tempname (internal tmpl, __GT_FILE) ok
-+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
-+@c  HP_TIMING_NOW if available ok
-+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
-+@c  static value is used and modified without synchronization ok
-+@c   but the use is as a source of non-cryptographic randomness
-+@c   with retries in case of collision, so it should be safe
-+@c unlink, fdopen
- This function creates a temporary binary file for update mode, as if by
- calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
- automatically when it is closed or when the program terminates.  (On
-@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
- @comment stdio.h
- @comment Unix98
- @deftypefun {FILE *} tmpfile64 (void)
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
- This function is similar to @code{tmpfile}, but the stream it returns a
- pointer to was opened using @code{tmpfile64}.  Therefore this stream can
- be used for files larger then @math{2^31} bytes on 32-bit machines.
-@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
- @comment stdio.h
- @comment ISO
- @deftypefun {char *} tmpnam (char *@var{result})
-+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
-+@c The passed-in buffer should not be modified concurrently with the
-+@c call.
-+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
-+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
- This function constructs and returns a valid file name that does not
- refer to any existing file.  If the @var{result} argument is a null
- pointer, the return value is a pointer to an internal static string,
-@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
- @comment stdio.h
- @comment GNU
- @deftypefun {char *} tmpnam_r (char *@var{result})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
- This function is nearly identical to the @code{tmpnam} function, except
- that if @var{result} is a null pointer it returns a null pointer.
- 
-@@ -3192,6 +3380,13 @@ never less than @code{25}.
- @comment stdio.h
- @comment SVID
- @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
-+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
-+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
-+@c even with a non-NULL dir, which makes this thread-unsafe.
-+@c
-+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
-+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
-+@c strdup
- This function generates a unique temporary file name.  If @var{prefix}
- is not a null pointer, up to five characters of this string are used as
- a prefix for the file name.  The return value is a string newly
-@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
- @comment stdlib.h
- @comment Unix
- @deftypefun {char *} mktemp (char *@var{template})
-+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
-+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
- The @code{mktemp} function generates a unique file name by modifying
- @var{template} as described above.  If successful, it returns
- @var{template} as modified.  If @code{mktemp} cannot find a unique file
-@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
- @comment stdlib.h
- @comment BSD
- @deftypefun int mkstemp (char *@var{template})
-+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
-+@c __gen_tempname (caller tmpl, __GT_FILE) ok
- The @code{mkstemp} function generates a unique file name just as
- @code{mktemp} does, but it also opens the file for you with @code{open}
- (@pxref{Opening and Closing Files}).  If successful, it modifies
-@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
- @comment stdlib.h
- @comment BSD
- @deftypefun {char *} mkdtemp (char *@var{template})
-+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
-+@c __gen_tempname (caller tmpl, __GT_DIR) ok
- The @code{mkdtemp} function creates a directory with a unique name.  If
- it succeeds, it overwrites @var{template} with the name of the
- directory, and returns @var{template}.  As with @code{mktemp} and
-@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
- @xref{Creating Directories}.
- 
- The @code{mkdtemp} function comes from OpenBSD.
-+
-+@c FIXME these are undocumented:
-+@c faccessat
-+@c fchmodat
-+@c fchownat
-+@c futimesat
-+@c fstatat (there's a commented-out safety assessment for this one)
-+@c linkat
-+@c mkdirat
-+@c mkfifoat
-+@c name_to_handle_at
-+@c openat
-+@c open_by_handle_at
-+@c readlinkat
-+@c renameat
-+@c scandirat
-+@c symlinkat
-+@c unlinkat
-+@c utimensat
-+@c mknodat
+

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fa001f73d60f803ba2877b9c8297e1b584e3b6ec

commit fa001f73d60f803ba2877b9c8297e1b584e3b6ec
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:52:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bcb5ff7712c3f8a6dc163c0612292f179920c79c

commit bcb5ff7712c3f8a6dc163c0612292f179920c79c
Merge: d9db060 1de4023 cf9af74
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:52:55 2013 -0300

    pull


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d9db06086c822c699f8597d66ac610c715571df0

commit d9db06086c822c699f8597d66ac610c715571df0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:52:55 2013 -0300

    pull

diff --git a/meta b/meta
index 51877f4..2fa5052 100644
--- a/meta
+++ b/meta
@@ -1,19 +1,20 @@
 Version: 1
-Previous: cccee05222f6772a39cbeff86aee5e69c20800ec
-Head: ca6ff75c053a2dc37c42b12d238e3397c604960b
+Previous: cf9af743e59dfbf5fda5a2a47c3e79180f45abdb
+Head: 1de4023eaef09c4f66ee8cda9af72299102a6a11
 Applied:
-  powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
-  unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
-  remove-sysdeps-ieee754-support.patch: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
-  manual-document-mt-safety.patch: a55b2aa9900f7f2d98793bb44e882e32b000150b
-  manual-document-mt-safety-argp.patch: f8001a47dc69f4ca878ae0b18dde1eab6f47ca23
-  manual-document-mt-safety-arith.patch: 7288eb7651261bf0ff7d26fd94d47c4a6267169f
-  manual-document-mt-safety-charset.patch: d739c28d7512bc43968ecc860a2501aeb2b38862
-  manual-document-mt-safety-conf.patch: 30f1f3822b1f3a1e8a69529880d4e8e924a3d35a
-  manual-document-mt-safety-crypt.patch: dabcbeb1f646a611c3e18db1dbf0d317276c5fbc
-  manual-document-mt-safety-ctype.patch: 1d9117d74990d3b2c143fd888d1435b627116a49
-  manual-document-mt-safety-debug.patch: 2851febd94cec0ec11937f681c65ada586f9a223
-  manual-document-mt-safety-errno.patch: 06af1d5ee2d283ef4da1ec4190dd42b9bd9e5e53
+  powerpc-nofpu-sim-note-nothread.patch: 696f6dab87abef96e7993fda3f143bbdeb1f34e8
+  unused-scalb-is-scalbn.patch: 8e4917e9cf19e11865e8257a23808022f8661b79
+  remove-sysdeps-ieee754-support.patch: a695677bd128bab38d17152a529deb639c38a9cc
+  manual-document-mt-safety.patch: 68be24a2fdb555f49822dadce0e7a9dcce313fef
+  manual-document-mt-safety-argp.patch: 3140ac4a6f81a1c3771e446d1b992366ac25c1fd
+  manual-document-mt-safety-arith.patch: 26f6a615ed5791824c49a73f2c3f2363a1068a67
+  manual-document-mt-safety-charset.patch: 0df07b4fc684fb54e4439dc6d2c3dbbe1bfebcc1
+  manual-document-mt-safety-conf.patch: d07742aef69215a1f5e40b91d1ce62d2bd0f3436
+  manual-document-mt-safety-crypt.patch: 9612e68916ea2d715e826de3ea1e63449b56113a
+  manual-document-mt-safety-ctype.patch: f9c7c5a3a45afe0537eac97659a8035fcd353755
+  manual-document-mt-safety-debug.patch: 93d4600a981245726112f8653ae093789c5781bc
+  manual-document-mt-safety-errno.patch: 1de4023eaef09c4f66ee8cda9af72299102a6a11
+Unapplied:
   manual-document-mt-safety-filesys.patch: 48a6b75fc25dc87bedc75d3fdfc131da890b7f4b
   manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
@@ -30,5 +31,4 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 3497681f7e488536c7e151c731fff1a56e012b7d
   wip-manual-document-mt-safety-threads.patch: c0dc224a795deac0cc8aacebcade8ae14842af01
   wip-manual-document-mt-safety-time.patch: ca6ff75c053a2dc37c42b12d238e3397c604960b
-Unapplied:
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index fcb91bc..2d84eea 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,7 +1,7 @@
-Bottom: dd5f61ec57d719c37843c4e02281f6e13e85e1e6
-Top:    7330788415ea874753e04d105c9610b828888f8d
+Bottom: 9a965dda103f127bc6ee768c73f81465bb617ddc
+Top:    42073023177bd6d20e6b8df2090232d020997496
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 21:57:08 -0300
+Date:   2013-08-16 04:52:53 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 24f961d..7910a8d 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,7 +1,7 @@
-Bottom: 7330788415ea874753e04d105c9610b828888f8d
-Top:    938a0224455b9ed4d30c77898cfcda3e7658d101
+Bottom: 42073023177bd6d20e6b8df2090232d020997496
+Top:    50364dad6f3079f8f8364e094b81d4f279e17b9a
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:40 -0300
+Date:   2013-08-16 04:52:53 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index b81a770..38ab65e 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,7 +1,7 @@
-Bottom: 938a0224455b9ed4d30c77898cfcda3e7658d101
-Top:    11af94a52cfc833e6b706d5bb2641d219dd8e9b1
+Bottom: 50364dad6f3079f8f8364e094b81d4f279e17b9a
+Top:    2057130a7d71203b9a9f38120e917b098c480a6f
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:01:33 -0300
+Date:   2013-08-16 04:52:53 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index 17f1a35..4a2d7b5 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,7 +1,7 @@
-Bottom: 11af94a52cfc833e6b706d5bb2641d219dd8e9b1
-Top:    6971015fc6a93453edf7bda609669d84f67a4037
+Bottom: 2057130a7d71203b9a9f38120e917b098c480a6f
+Top:    94804776420739d4e7851f76aae8683d669215d4
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:03:16 -0300
+Date:   2013-08-16 04:52:53 -0300
 
 Thread safety documentation.
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/conf.texi b/manual/conf.texi
-index 7eb8b36..edbb2fd 100644
+index c720063..79bfcdb 100644
 --- a/manual/conf.texi
 +++ b/manual/conf.texi
 @@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
@@ -34,7 +34,7 @@ index 7eb8b36..edbb2fd 100644
  This function is used to inquire about runtime system parameters.  The
  @var{parameter} argument should be one of the @samp{_SC_} symbols listed
  below.
-@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
+@@ -1348,6 +1359,11 @@ argument are declared in the header file @file{unistd.h}.
  @comment unistd.h
  @comment POSIX.1
  @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
@@ -46,7 +46,7 @@ index 7eb8b36..edbb2fd 100644
  This function is used to inquire about the limits that apply to
  the file named @var{filename}.
  
-@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
+@@ -1375,6 +1391,8 @@ support the @var{parameter} for the specific file.
  @comment unistd.h
  @comment POSIX.1
  @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
@@ -55,7 +55,7 @@ index 7eb8b36..edbb2fd 100644
  This is just like @code{pathconf} except that an open file descriptor
  is used to specify the file for which information is requested, instead
  of a file name.
-@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
+@@ -1624,6 +1642,7 @@ system with the function @code{confstr}:
  @comment unistd.h
  @comment POSIX.2
  @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index 48df593..a16a183 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,7 +1,7 @@
-Bottom: 6971015fc6a93453edf7bda609669d84f67a4037
-Top:    7995ce65c762cc782885f999be1655c53385b187
+Bottom: 94804776420739d4e7851f76aae8683d669215d4
+Top:    f5c503197dbf6356975447e7636e2dd3143a2989
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:03:47 -0300
+Date:   2013-08-16 04:52:54 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index e5aada3..e6d4b14 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,7 +1,7 @@
-Bottom: 7995ce65c762cc782885f999be1655c53385b187
-Top:    64ebd752fed5cf529fd9903b3078f66d5a39ae0f
+Bottom: f5c503197dbf6356975447e7636e2dd3143a2989
+Top:    003a6157dc020fa72680ae4a6ca0b81297cad891
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:41 -0300
+Date:   2013-08-16 04:52:54 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index 8ca0d1e..952e178 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,7 +1,7 @@
-Bottom: 64ebd752fed5cf529fd9903b3078f66d5a39ae0f
-Top:    1c6445c77783aa0c8826066576f1bea1d574a20c
+Bottom: 003a6157dc020fa72680ae4a6ca0b81297cad891
+Top:    1bfb6d75e28a05d618536054d216af24c1d005eb
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:05:11 -0300
+Date:   2013-08-16 04:52:54 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index 41e8371..d209c0e 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,7 +1,7 @@
-Bottom: 1c6445c77783aa0c8826066576f1bea1d574a20c
-Top:    1ff2a8e59e8b9699588c78ee345f4d6ed95eb078
+Bottom: 1bfb6d75e28a05d618536054d216af24c1d005eb
+Top:    e7b3cec4e03306c8e81023c08b98e74a0faacbbe
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:05:34 -0300
+Date:   2013-08-16 04:52:55 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index a573ff4..d425832 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,7 +1,7 @@
-Bottom: 50e2fbc0bfe0ec92d66e09e6b0891dfd6c8d53b7
-Top:    dd5f61ec57d719c37843c4e02281f6e13e85e1e6
+Bottom: 3e408a78cb48814b5d0267f4ac1660cd08e00d24
+Top:    9a965dda103f127bc6ee768c73f81465bb617ddc
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:39 -0300
+Date:   2013-08-16 04:52:52 -0300
 
 Thread safety documentation.
 
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index 5a7513e..300c5fe 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,7 +1,7 @@
-Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
-Top:    b937cc635d4d2275aefa75f55fe195e302fbe4e3
+Bottom: 268277f390b889cc857152d268242bd603036b9e
+Top:    16be1a6432db4b53f29115b9a137e0a9b5f72d63
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:39 -0300
+Date:   2013-08-16 04:52:51 -0300
 
 Note that powerpc fpu emulation status is not thread- or signal-safe.
 
diff --git a/patches/remove-sysdeps-ieee754-support.patch b/patches/remove-sysdeps-ieee754-support.patch
index 69f8047..7a78a03 100644
--- a/patches/remove-sysdeps-ieee754-support.patch
+++ b/patches/remove-sysdeps-ieee754-support.patch
@@ -1,7 +1,7 @@
-Bottom: 0cde62ba14858955eaea55ab1c1dff0f01f3a01a
-Top:    50e2fbc0bfe0ec92d66e09e6b0891dfd6c8d53b7
+Bottom: 411b24ed46994f8860e4a688d6846bba3af6a601
+Top:    3e408a78cb48814b5d0267f4ac1660cd08e00d24
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 00:32:53 -0300
+Date:   2013-08-16 04:52:52 -0300
 
 Remove unused sysdeps/ieee754/support.c.
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index eec1d7e..2b74aea 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,7 +1,7 @@
-Bottom: b937cc635d4d2275aefa75f55fe195e302fbe4e3
-Top:    0cde62ba14858955eaea55ab1c1dff0f01f3a01a
+Bottom: 16be1a6432db4b53f29115b9a137e0a9b5f72d63
+Top:    411b24ed46994f8860e4a688d6846bba3af6a601
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:39 -0300
+Date:   2013-08-16 04:52:51 -0300
 
 Rename unused scalb to scalbn to match prototype.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cf9af743e59dfbf5fda5a2a47c3e79180f45abdb

commit cf9af743e59dfbf5fda5a2a47c3e79180f45abdb
Merge: 8482cc6 ca6ff75 cccee05
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:22:57 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8482cc6da6e9bbd28bfe1e80fd39dbad3ce7a3e3

commit 8482cc6da6e9bbd28bfe1e80fd39dbad3ce7a3e3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:22:57 2013 -0300

    push

diff --git a/meta b/meta
index ac4a0a9..51877f4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 554b381a96e944c0f8154539602f5198d1174a22
-Head: 05c3b86470f7b78f9e514bd75ab3c578632a565e
+Previous: cccee05222f6772a39cbeff86aee5e69c20800ec
+Head: ca6ff75c053a2dc37c42b12d238e3397c604960b
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -20,15 +20,15 @@ Applied:
   manual-document-mt-safety-job.patch: 1da38dc05daeed4e2d77f2923bb588bf259a7549
   manual-document-mt-safety-lang.patch: 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
   manual-document-mt-safety-llio.patch: 05c3b86470f7b78f9e514bd75ab3c578632a565e
+  manual-document-mt-safety-stdio.patch: e0a2fb9204aeacafd5d47526aca8d0a0d3516b24
+  wip-manual-document-mt-safety-locale.patch: 25716969ed7bd40d588ad87a4199c942e09cb030
+  wip-manual-document-mt-safety-math.patch: 2040739b74bca159cee9d298f3e2b9f1c6419c10
+  wip-manual-document-mt-safety-startup.patch: 740bcbf778d5290c8109de9b137c0490ca6bd44c
+  wip-manual-document-mt-safety-search.patch: fc167765de08d9cc6eeefe08d13b8042927d4c46
+  wip-manual-document-mt-safety-resource.patch: d44818daeeff4059e760cd5ea9f085bf182eb717
+  wip-manual-document-mt-safety-string.patch: 4081c255aff07502983a04524774c57774175012
+  wip-manual-document-mt-safety-terminal.patch: 3497681f7e488536c7e151c731fff1a56e012b7d
+  wip-manual-document-mt-safety-threads.patch: c0dc224a795deac0cc8aacebcade8ae14842af01
+  wip-manual-document-mt-safety-time.patch: ca6ff75c053a2dc37c42b12d238e3397c604960b
 Unapplied:
-  manual-document-mt-safety-stdio.patch: 572386734b3f9026025b6e60f2228c9f1ef0d4df
-  wip-manual-document-mt-safety-locale.patch: a82b9814d4f81db18ea5c553cd5dc5fbf31bdb1e
-  wip-manual-document-mt-safety-math.patch: 7920ad2e3774239d123ce62cd383720426b44135
-  wip-manual-document-mt-safety-startup.patch: 504c5cdd62bacdeae9ba6f7550489a423eb8a67d
-  wip-manual-document-mt-safety-search.patch: efc52b412d2d5f65ac9ecaf68cda4e1162266950
-  wip-manual-document-mt-safety-resource.patch: dbb35227cf0315c69f5a1194567dddd28783220f
-  wip-manual-document-mt-safety-string.patch: 92527f1339cb3a36dcf9205dd9beee30d6ddf61c
-  wip-manual-document-mt-safety-terminal.patch: c7d4f8fa7082247cd3fc7df9be81db43d8ab58c8
-  wip-manual-document-mt-safety-threads.patch: 9c43a2b276badc905035a6b2e236c71505455f4e
-  wip-manual-document-mt-safety-time.patch: 92cf02f3b8f1ded1ab0b40e598db58d47798032f
 Hidden:
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 425de60..3de963c 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 70450337f67d11a45e01f8b02431ebb6673feb3e
-Top:    e752d10b13d788334efeca8df965648711f065b8
+Bottom: 2ababec10bdc79e391c0dcfade6046586526bff9
+Top:    d690f2a44f6c21eb342e9a3e7523dc72068502a3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 40ed885..a8e5755 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: e752d10b13d788334efeca8df965648711f065b8
-Top:    266a8601bddcaf307b45fc05a4260787db0e6856
+Bottom: d690f2a44f6c21eb342e9a3e7523dc72068502a3
+Top:    481e29ddef07c3cc482dc5a495a3e73b301a97f3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 65e5ca7..27aa7ee 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 266a8601bddcaf307b45fc05a4260787db0e6856
-Top:    70f620109a737254c3625806efb80fdaee04f15b
+Bottom: 481e29ddef07c3cc482dc5a495a3e73b301a97f3
+Top:    9f9c0f06c0d34f15d4b04a2a152676ffd52e8df7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index b385d72..0574acd 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 110587b84e839d24b49b06c72adac07e1b608d94
-Top:    6ffe7a66b2b3229a0286930c23a83d4d6d915933
+Bottom: 33e1f4fae29f5947f17f70936d3d315b01dff62f
+Top:    3e9c626e7fe436b3de908fc12ed371d066d8f391
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 160c1f8..ee61379 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 37185242102b30e75f0b0d0c5e7196aded93c284
-Top:    110587b84e839d24b49b06c72adac07e1b608d94
+Bottom: cf86ac4dd59923640662568a6cede5e573261672
+Top:    33e1f4fae29f5947f17f70936d3d315b01dff62f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index fed6a93..a9dfcb5 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 70f620109a737254c3625806efb80fdaee04f15b
-Top:    37185242102b30e75f0b0d0c5e7196aded93c284
+Bottom: 9f9c0f06c0d34f15d4b04a2a152676ffd52e8df7
+Top:    cf86ac4dd59923640662568a6cede5e573261672
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 552db1e..395919e 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 6ffe7a66b2b3229a0286930c23a83d4d6d915933
-Top:    6eb8d67c9bdb85dc5bab11e1d652794f9a53ce22
+Bottom: 3e9c626e7fe436b3de908fc12ed371d066d8f391
+Top:    c89da0b4d41a5745fd4e2551d486e9d9dd0d56d1
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:24 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 8a27596..5ed60c1 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 6eb8d67c9bdb85dc5bab11e1d652794f9a53ce22
-Top:    12f26fdb9cef342cad845ae75f3c0d8506505bf7
+Bottom: c89da0b4d41a5745fd4e2551d486e9d9dd0d56d1
+Top:    8cea251adc99eb63d9bdc273e9afd6cd37042dcc
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:53 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index dc5d838..c8cfc0b 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 12f26fdb9cef342cad845ae75f3c0d8506505bf7
-Top:    8f34e176a621bbe4f96be6fefd72589012261428
+Bottom: 8cea251adc99eb63d9bdc273e9afd6cd37042dcc
+Top:    62785faca46da74e7a2dced79e5b7e422ee534f3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:35 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 43b3a63..c9b5cb3 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 8f34e176a621bbe4f96be6fefd72589012261428
-Top:    6e96df8705d60c67a265fd5acf7f506fd67f4782
+Bottom: 62785faca46da74e7a2dced79e5b7e422ee534f3
+Top:    85ac7ce981e14893c88c124b59ba947a9ba69034
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:50 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ca6ff75c053a2dc37c42b12d238e3397c604960b

commit ca6ff75c053a2dc37c42b12d238e3397c604960b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c0dc224a795deac0cc8aacebcade8ae14842af01

commit c0dc224a795deac0cc8aacebcade8ae14842af01
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:35 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3497681f7e488536c7e151c731fff1a56e012b7d

commit 3497681f7e488536c7e151c731fff1a56e012b7d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4081c255aff07502983a04524774c57774175012

commit 4081c255aff07502983a04524774c57774175012
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d44818daeeff4059e760cd5ea9f085bf182eb717

commit d44818daeeff4059e760cd5ea9f085bf182eb717
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fc167765de08d9cc6eeefe08d13b8042927d4c46

commit fc167765de08d9cc6eeefe08d13b8042927d4c46
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=740bcbf778d5290c8109de9b137c0490ca6bd44c

commit 740bcbf778d5290c8109de9b137c0490ca6bd44c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2040739b74bca159cee9d298f3e2b9f1c6419c10

commit 2040739b74bca159cee9d298f3e2b9f1c6419c10
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=25716969ed7bd40d588ad87a4199c942e09cb030

commit 25716969ed7bd40d588ad87a4199c942e09cb030
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e0a2fb9204aeacafd5d47526aca8d0a0d3516b24

commit e0a2fb9204aeacafd5d47526aca8d0a0d3516b24
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cccee05222f6772a39cbeff86aee5e69c20800ec

commit cccee05222f6772a39cbeff86aee5e69c20800ec
Merge: d41406e 05c3b86 554b381
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:22:47 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d41406ec4a3470eb11fb643f7d5d3e4ca5693764

commit d41406ec4a3470eb11fb643f7d5d3e4ca5693764
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:22:47 2013 -0300

    refresh

diff --git a/meta b/meta
index 529af8a..ac4a0a9 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 0be4967a4ac472eaab48e73093280305499c0967
-Head: 21e4f8f2a2a89b0bd1927926f4d03034066b1402
+Previous: 554b381a96e944c0f8154539602f5198d1174a22
+Head: 05c3b86470f7b78f9e514bd75ab3c578632a565e
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -19,8 +19,7 @@ Applied:
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
   manual-document-mt-safety-job.patch: 1da38dc05daeed4e2d77f2923bb588bf259a7549
   manual-document-mt-safety-lang.patch: 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
-  manual-document-mt-safety-llio.patch: 9992d089f12b96c05738ef8524aa16917cbee72a
-  refresh-temp: 21e4f8f2a2a89b0bd1927926f4d03034066b1402
+  manual-document-mt-safety-llio.patch: 05c3b86470f7b78f9e514bd75ab3c578632a565e
 Unapplied:
   manual-document-mt-safety-stdio.patch: 572386734b3f9026025b6e60f2228c9f1ef0d4df
   wip-manual-document-mt-safety-locale.patch: a82b9814d4f81db18ea5c553cd5dc5fbf31bdb1e
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index c87a4f8..28a9a28 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
 Bottom: fc738e25133a6fc7d7d322e4aaa73f98f45ee411
-Top:    70450337f67d11a45e01f8b02431ebb6673feb3e
+Top:    2ababec10bdc79e391c0dcfade6046586526bff9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/llio.texi b/manual/llio.texi
-index b129cf4..66370c4 100644
+index b129cf4..c350585 100644
 --- a/manual/llio.texi
 +++ b/manual/llio.texi
 @@ -78,6 +78,7 @@ declared in @file{unistd.h}.
@@ -156,20 +156,19 @@ index b129cf4..66370c4 100644
  The @code{fileno_unlocked} function is equivalent to the @code{fileno}
  function except that it does not implicitly lock the stream if the state
  is @code{FSETLOCKING_INTERNAL}.
-@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
+@@ -1071,6 +1099,11 @@ Contains the length of the buffer.
  @comment sys/uio.h
  @comment BSD
  @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
--
 +@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 +@c The fallback sysdeps/posix implementation, used even on GNU/Linux
 +@c with old kernels that lack a full readv/writev implementation, may
 +@c malloc the buffer into which data is read, if the total read size is
 +@c too large for alloca.
+ 
  The @code{readv} function reads data from @var{filedes} and scatters it
  into the buffers described in @var{vector}, which is taken to be
- @var{count} structures long.  As each buffer is filled, data is sent to the
-@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
+@@ -1089,6 +1122,11 @@ errors are the same as in @code{read}.
  @comment sys/uio.h
  @comment BSD
  @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
@@ -181,7 +180,7 @@ index b129cf4..66370c4 100644
  
  The @code{writev} function gathers data from the buffers described in
  @var{vector}, which is taken to be @var{count} structures long, and writes
-@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
+@@ -1149,6 +1187,7 @@ These functions are declared in @file{sys/mman.h}.
  @comment sys/mman.h
  @comment POSIX
  @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
@@ -189,7 +188,7 @@ index b129cf4..66370c4 100644
  
  The @code{mmap} function creates a new mapping, connected to bytes
  (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
-@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
+@@ -1268,6 +1307,9 @@ The file is on a filesystem that doesn't support mapping.
  @comment sys/mman.h
  @comment LFS
  @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
@@ -199,7 +198,7 @@ index b129cf4..66370c4 100644
  The @code{mmap64} function is equivalent to the @code{mmap} function but
  the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
  this allows the file associated with the @var{filedes} descriptor to be
-@@ -1284,6 +1325,7 @@ replaces the old API.
+@@ -1284,6 +1326,7 @@ replaces the old API.
  @comment sys/mman.h
  @comment POSIX
  @deftypefun int munmap (void *@var{addr}, size_t @var{length})
@@ -207,7 +206,7 @@ index b129cf4..66370c4 100644
  
  @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
  @var{length}).  @var{length} should be the length of the mapping.
-@@ -1310,6 +1352,7 @@ aligned.
+@@ -1310,6 +1353,7 @@ aligned.
  @comment sys/mman.h
  @comment POSIX
  @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
@@ -215,7 +214,7 @@ index b129cf4..66370c4 100644
  
  When using shared mappings, the kernel can write the file at any time
  before the mapping is removed.  To be certain data has actually been
-@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
+@@ -1357,6 +1401,7 @@ There is no existing mapping in at least part of the given region.
  @comment sys/mman.h
  @comment GNU
  @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
@@ -223,7 +222,7 @@ index b129cf4..66370c4 100644
  
  This function can be used to change the size of an existing memory
  area. @var{address} and @var{length} must cover a region entirely mapped
-@@ -1405,6 +1449,7 @@ Coding Standards}.
+@@ -1405,6 +1450,7 @@ Coding Standards}.
  @comment sys/mman.h
  @comment POSIX
  @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
@@ -231,7 +230,7 @@ index b129cf4..66370c4 100644
  
  This function can be used to provide the system with @var{advice} about
  the intended usage patterns of the memory region starting at @var{addr}
-@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
+@@ -1531,6 +1577,7 @@ that descriptor into an @code{fd_set}.
  @comment sys/types.h
  @comment BSD
  @deftypefn Macro void FD_ZERO (fd_set *@var{set})
@@ -239,7 +238,7 @@ index b129cf4..66370c4 100644
  This macro initializes the file descriptor set @var{set} to be the
  empty set.
  @end deftypefn
-@@ -1538,6 +1584,9 @@ empty set.
+@@ -1538,6 +1585,9 @@ empty set.
  @comment sys/types.h
  @comment BSD
  @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
@@ -249,7 +248,7 @@ index b129cf4..66370c4 100644
  This macro adds @var{filedes} to the file descriptor set @var{set}.
  
  The @var{filedes} parameter must not have side effects since it is
-@@ -1547,6 +1596,9 @@ evaluated more than once.
+@@ -1547,6 +1597,9 @@ evaluated more than once.
  @comment sys/types.h
  @comment BSD
  @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
@@ -259,7 +258,7 @@ index b129cf4..66370c4 100644
  This macro removes @var{filedes} from the file descriptor set @var{set}.
  
  The @var{filedes} parameter must not have side effects since it is
-@@ -1556,6 +1608,7 @@ evaluated more than once.
+@@ -1556,6 +1609,7 @@ evaluated more than once.
  @comment sys/types.h
  @comment BSD
  @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
@@ -267,7 +266,7 @@ index b129cf4..66370c4 100644
  This macro returns a nonzero value (true) if @var{filedes} is a member
  of the file descriptor set @var{set}, and zero (false) otherwise.
  
-@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
+@@ -1568,6 +1622,10 @@ Next, here is the description of the @code{select} function itself.
  @comment sys/types.h
  @comment BSD
  @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
@@ -278,7 +277,7 @@ index b129cf4..66370c4 100644
  The @code{select} function blocks the calling process until there is
  activity on any of the specified sets of file descriptors, or until the
  timeout period has expired.
-@@ -1670,6 +1727,7 @@ they return.
+@@ -1670,6 +1728,7 @@ they return.
  @comment unistd.h
  @comment X/Open
  @deftypefun void sync (void)
@@ -286,7 +285,7 @@ index b129cf4..66370c4 100644
  A call to this function will not return as long as there is data which
  has not been written to the device.  All dirty buffers in the kernel will
  be written and so an overall consistent system can be achieved (if no
-@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
+@@ -1685,6 +1744,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
  @comment unistd.h
  @comment POSIX
  @deftypefun int fsync (int @var{fildes})
@@ -294,7 +293,7 @@ index b129cf4..66370c4 100644
  The @code{fsync} function can be used to make sure all data associated with
  the open file @var{fildes} is written to the device associated with the
  descriptor.  The function call does not return unless all actions have
-@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
+@@ -1722,6 +1782,7 @@ recovering of the file in case of a problem.
  @comment unistd.h
  @comment POSIX
  @deftypefun int fdatasync (int @var{fildes})
@@ -302,7 +301,7 @@ index b129cf4..66370c4 100644
  When a call to the @code{fdatasync} function returns, it is ensured
  that all of the file data is written to the device.  For all pending I/O
  operations, the parts guaranteeing data integrity finished.
-@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
+@@ -1923,6 +1984,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
  @comment aio.h
  @comment POSIX.1b
  @deftypefun int aio_read (struct aiocb *@var{aiocbp})
@@ -461,7 +460,7 @@ index b129cf4..66370c4 100644
  This function initiates an asynchronous read operation.  It
  immediately returns after the operation was enqueued or when an
  error was encountered.
-@@ -1988,6 +2200,7 @@ replaces the normal implementation.
+@@ -1988,6 +2201,7 @@ replaces the normal implementation.
  @comment aio.h
  @comment Unix98
  @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
@@ -469,7 +468,7 @@ index b129cf4..66370c4 100644
  This function is similar to the @code{aio_read} function.  The only
  difference is that on @w{32 bit} machines, the file descriptor should
  be opened in the large file mode.  Internally, @code{aio_read64} uses
-@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
+@@ -2006,6 +2220,7 @@ of functions with a very similar interface.
  @comment aio.h
  @comment POSIX.1b
  @deftypefun int aio_write (struct aiocb *@var{aiocbp})
@@ -477,7 +476,7 @@ index b129cf4..66370c4 100644
  This function initiates an asynchronous write operation.  The function
  call immediately returns after the operation was enqueued or if before
  this happens an error was encountered.
-@@ -2072,6 +2286,7 @@ replaces the normal implementation.
+@@ -2072,6 +2287,7 @@ replaces the normal implementation.
  @comment aio.h
  @comment Unix98
  @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
@@ -485,7 +484,7 @@ index b129cf4..66370c4 100644
  This function is similar to the @code{aio_write} function.  The only
  difference is that on @w{32 bit} machines the file descriptor should
  be opened in the large file mode.  Internally @code{aio_write64} uses
-@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
+@@ -2093,6 +2309,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
  @comment aio.h
  @comment POSIX.1b
  @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
@@ -498,7 +497,7 @@ index b129cf4..66370c4 100644
  The @code{lio_listio} function can be used to enqueue an arbitrary
  number of read and write requests at one time.  The requests can all be
  meant for the same file, all for different files or every solution in
-@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
+@@ -2176,6 +2398,7 @@ transparently replaces the normal implementation.
  @comment aio.h
  @comment Unix98
  @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
@@ -506,7 +505,7 @@ index b129cf4..66370c4 100644
  This function is similar to the @code{lio_listio} function.  The only
  difference is that on @w{32 bit} machines, the file descriptor should
  be opened in the large file mode.  Internally, @code{lio_listio64} uses
-@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
+@@ -2204,6 +2427,7 @@ The following two functions allow you to get this kind of information.
  @comment aio.h
  @comment POSIX.1b
  @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
@@ -514,7 +513,7 @@ index b129cf4..66370c4 100644
  This function determines the error state of the request described by the
  @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
  request has not yet terminated the value returned is always
-@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
+@@ -2225,6 +2449,7 @@ transparently replaces the normal implementation.
  @comment aio.h
  @comment Unix98
  @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
@@ -522,7 +521,7 @@ index b129cf4..66370c4 100644
  This function is similar to @code{aio_error} with the only difference
  that the argument is a reference to a variable of type @code{struct
  aiocb64}.
-@@ -2238,6 +2462,7 @@ machines.
+@@ -2238,6 +2463,7 @@ machines.
  @comment aio.h
  @comment POSIX.1b
  @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
@@ -530,7 +529,7 @@ index b129cf4..66370c4 100644
  This function can be used to retrieve the return status of the operation
  carried out by the request described in the variable pointed to by
  @var{aiocbp}.  As long as the error status of this request as returned
-@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
+@@ -2261,6 +2487,7 @@ transparently replaces the normal implementation.
  @comment aio.h
  @comment Unix98
  @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
@@ -538,7 +537,7 @@ index b129cf4..66370c4 100644
  This function is similar to @code{aio_return} with the only difference
  that the argument is a reference to a variable of type @code{struct
  aiocb64}.
-@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
+@@ -2289,6 +2516,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
  @comment aio.h
  @comment POSIX.1b
  @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
@@ -548,7 +547,7 @@ index b129cf4..66370c4 100644
  Calling this function forces all I/O operations operating queued at the
  time of the function call operating on the file descriptor
  @code{aiocbp->aio_fildes} into the synchronized I/O completion state
-@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
+@@ -2336,6 +2566,7 @@ transparently replaces the normal implementation.
  @comment aio.h
  @comment Unix98
  @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
@@ -556,7 +555,7 @@ index b129cf4..66370c4 100644
  This function is similar to @code{aio_fsync} with the only difference
  that the argument is a reference to a variable of type @code{struct
  aiocb64}.
-@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
+@@ -2362,6 +2593,9 @@ before the current client is served.  For situations like this
  @comment aio.h
  @comment POSIX.1b
  @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
@@ -566,7 +565,7 @@ index b129cf4..66370c4 100644
  When calling this function, the calling thread is suspended until at
  least one of the requests pointed to by the @var{nent} elements of the
  array @var{list} has completed.  If any of the requests has already
-@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
+@@ -2400,6 +2634,7 @@ transparently replaces the normal implementation.
  @comment aio.h
  @comment Unix98
  @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
@@ -574,7 +573,7 @@ index b129cf4..66370c4 100644
  This function is similar to @code{aio_suspend} with the only difference
  that the argument is a reference to a variable of type @code{struct
  aiocb64}.
-@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
+@@ -2427,6 +2662,16 @@ or not.  Therefore using this function is merely a hint.
  @comment aio.h
  @comment POSIX.1b
  @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
@@ -591,7 +590,7 @@ index b129cf4..66370c4 100644
  The @code{aio_cancel} function can be used to cancel one or more
  outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
  function tries to cancel all of the outstanding requests which would process
-@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
+@@ -2474,6 +2719,7 @@ transparently replaces the normal implementation.
  @comment aio.h
  @comment Unix98
  @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
@@ -599,7 +598,7 @@ index b129cf4..66370c4 100644
  This function is similar to @code{aio_cancel} with the only difference
  that the argument is a reference to a variable of type @code{struct
  aiocb64}.
-@@ -2529,6 +2774,8 @@ Unused.
+@@ -2529,6 +2775,8 @@ Unused.
  @comment aio.h
  @comment GNU
  @deftypefun void aio_init (const struct aioinit *@var{init})
@@ -608,7 +607,7 @@ index b129cf4..66370c4 100644
  This function must be called before any other AIO function.  Calling it
  is completely voluntary, as it is only meant to help the AIO
  implementation perform better.
-@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
+@@ -2563,6 +2811,7 @@ function; see @ref{Opening and Closing Files}.
  @comment fcntl.h
  @comment POSIX.1
  @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
@@ -616,7 +615,7 @@ index b129cf4..66370c4 100644
  The @code{fcntl} function performs the operation specified by
  @var{command} on the file descriptor @var{filedes}.  Some commands
  require additional arguments to be supplied.  These additional arguments
-@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
+@@ -2645,6 +2894,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
  @comment unistd.h
  @comment POSIX.1
  @deftypefun int dup (int @var{old})
@@ -624,7 +623,7 @@ index b129cf4..66370c4 100644
  This function copies descriptor @var{old} to the first available
  descriptor number (the first number not currently open).  It is
  equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
-@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
+@@ -2653,6 +2903,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
  @comment unistd.h
  @comment POSIX.1
  @deftypefun int dup2 (int @var{old}, int @var{new})
@@ -632,7 +631,7 @@ index b129cf4..66370c4 100644
  This function copies the descriptor @var{old} to descriptor number
  @var{new}.
  
-@@ -3631,6 +3881,7 @@ different headers.
+@@ -3631,6 +3882,7 @@ different headers.
  @comment sys/ioctl.h
  @comment BSD
  @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
@@ -640,7 +639,7 @@ index b129cf4..66370c4 100644
  
  The @code{ioctl} function performs the generic I/O operation
  @var{command} on @var{filedes}.
-@@ -3650,3 +3901,6 @@ unknown device.
+@@ -3650,3 +3902,6 @@ unknown device.
  Most IOCTLs are OS-specific and/or only used in special system utilities,
  and are thus beyond the scope of this document.  For an example of the use
  of an IOCTL, see @ref{Out-of-Band Data}.
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 4c8cfb0..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,21 +0,0 @@
-Bottom: 70450337f67d11a45e01f8b02431ebb6673feb3e
-Top:    2ababec10bdc79e391c0dcfade6046586526bff9
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:22:46 -0300
-
-Refresh of manual-document-mt-safety-llio.patch
-
----
-
-diff --git a/manual/llio.texi b/manual/llio.texi
-index 66370c4..c350585 100644
---- a/manual/llio.texi
-+++ b/manual/llio.texi
-@@ -1104,6 +1104,7 @@ Contains the length of the buffer.
- @c with old kernels that lack a full readv/writev implementation, may
- @c malloc the buffer into which data is read, if the total read size is
- @c too large for alloca.
-+
- The @code{readv} function reads data from @var{filedes} and scatters it
- into the buffers described in @var{vector}, which is taken to be
- @var{count} structures long.  As each buffer is filled, data is sent to the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=554b381a96e944c0f8154539602f5198d1174a22

commit 554b381a96e944c0f8154539602f5198d1174a22
Merge: 259ab0d 0be4967 21e4f8f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:22:46 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=259ab0d8e335c2bc07f4ba80d69813f1528c2609

commit 259ab0d8e335c2bc07f4ba80d69813f1528c2609
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:22:46 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index e65cb3f..529af8a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 95b05fe32d91f7cdf631389a6f24fa635a3a0f69
-Head: 9992d089f12b96c05738ef8524aa16917cbee72a
+Previous: 0be4967a4ac472eaab48e73093280305499c0967
+Head: 21e4f8f2a2a89b0bd1927926f4d03034066b1402
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -20,6 +20,7 @@ Applied:
   manual-document-mt-safety-job.patch: 1da38dc05daeed4e2d77f2923bb588bf259a7549
   manual-document-mt-safety-lang.patch: 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
   manual-document-mt-safety-llio.patch: 9992d089f12b96c05738ef8524aa16917cbee72a
+  refresh-temp: 21e4f8f2a2a89b0bd1927926f4d03034066b1402
 Unapplied:
   manual-document-mt-safety-stdio.patch: 572386734b3f9026025b6e60f2228c9f1ef0d4df
   wip-manual-document-mt-safety-locale.patch: a82b9814d4f81db18ea5c553cd5dc5fbf31bdb1e
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..4c8cfb0
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,21 @@
+Bottom: 70450337f67d11a45e01f8b02431ebb6673feb3e
+Top:    2ababec10bdc79e391c0dcfade6046586526bff9
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-16 04:22:46 -0300
+
+Refresh of manual-document-mt-safety-llio.patch
+
+---
+
+diff --git a/manual/llio.texi b/manual/llio.texi
+index 66370c4..c350585 100644
+--- a/manual/llio.texi
++++ b/manual/llio.texi
+@@ -1104,6 +1104,7 @@ Contains the length of the buffer.
+ @c with old kernels that lack a full readv/writev implementation, may
+ @c malloc the buffer into which data is read, if the total read size is
+ @c too large for alloca.
++
+ The @code{readv} function reads data from @var{filedes} and scatters it
+ into the buffers described in @var{vector}, which is taken to be
+ @var{count} structures long.  As each buffer is filled, data is sent to the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=21e4f8f2a2a89b0bd1927926f4d03034066b1402

commit 21e4f8f2a2a89b0bd1927926f4d03034066b1402
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:22:46 2013 -0300

    Refresh of manual-document-mt-safety-llio.patch

diff --git a/manual/llio.texi b/manual/llio.texi
index 66370c4..c350585 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -1104,6 +1104,7 @@ Contains the length of the buffer.
 @c with old kernels that lack a full readv/writev implementation, may
 @c malloc the buffer into which data is read, if the total read size is
 @c too large for alloca.
+
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0be4967a4ac472eaab48e73093280305499c0967

commit 0be4967a4ac472eaab48e73093280305499c0967
Merge: 22fb8a2 95b05fe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:21:25 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=22fb8a25581baa536a83f43098e1defd2abf6c80

commit 22fb8a25581baa536a83f43098e1defd2abf6c80
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:21:25 2013 -0300

    goto

diff --git a/meta b/meta
index 1cd20b8..e65cb3f 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 2f5054826615e2e6fc557b9aff0c1a4902a09c44
-Head: 92cf02f3b8f1ded1ab0b40e598db58d47798032f
+Previous: 95b05fe32d91f7cdf631389a6f24fa635a3a0f69
+Head: 9992d089f12b96c05738ef8524aa16917cbee72a
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -20,6 +20,7 @@ Applied:
   manual-document-mt-safety-job.patch: 1da38dc05daeed4e2d77f2923bb588bf259a7549
   manual-document-mt-safety-lang.patch: 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
   manual-document-mt-safety-llio.patch: 9992d089f12b96c05738ef8524aa16917cbee72a
+Unapplied:
   manual-document-mt-safety-stdio.patch: 572386734b3f9026025b6e60f2228c9f1ef0d4df
   wip-manual-document-mt-safety-locale.patch: a82b9814d4f81db18ea5c553cd5dc5fbf31bdb1e
   wip-manual-document-mt-safety-math.patch: 7920ad2e3774239d123ce62cd383720426b44135
@@ -30,5 +31,4 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: c7d4f8fa7082247cd3fc7df9be81db43d8ab58c8
   wip-manual-document-mt-safety-threads.patch: 9c43a2b276badc905035a6b2e236c71505455f4e
   wip-manual-document-mt-safety-time.patch: 92cf02f3b8f1ded1ab0b40e598db58d47798032f
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=95b05fe32d91f7cdf631389a6f24fa635a3a0f69

commit 95b05fe32d91f7cdf631389a6f24fa635a3a0f69
Merge: f16491c 92cf02f 2f50548
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:51 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f16491c27149d3133dc1627452c3dca742f62ff1

commit f16491c27149d3133dc1627452c3dca742f62ff1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:51 2013 -0300

    push

diff --git a/meta b/meta
index 8461e75..1cd20b8 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 707a7abaa781a9a10ad887ff54cde0f90ed0e769
-Head: 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
+Previous: 2f5054826615e2e6fc557b9aff0c1a4902a09c44
+Head: 92cf02f3b8f1ded1ab0b40e598db58d47798032f
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -19,16 +19,16 @@ Applied:
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
   manual-document-mt-safety-job.patch: 1da38dc05daeed4e2d77f2923bb588bf259a7549
   manual-document-mt-safety-lang.patch: 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
+  manual-document-mt-safety-llio.patch: 9992d089f12b96c05738ef8524aa16917cbee72a
+  manual-document-mt-safety-stdio.patch: 572386734b3f9026025b6e60f2228c9f1ef0d4df
+  wip-manual-document-mt-safety-locale.patch: a82b9814d4f81db18ea5c553cd5dc5fbf31bdb1e
+  wip-manual-document-mt-safety-math.patch: 7920ad2e3774239d123ce62cd383720426b44135
+  wip-manual-document-mt-safety-startup.patch: 504c5cdd62bacdeae9ba6f7550489a423eb8a67d
+  wip-manual-document-mt-safety-search.patch: efc52b412d2d5f65ac9ecaf68cda4e1162266950
+  wip-manual-document-mt-safety-resource.patch: dbb35227cf0315c69f5a1194567dddd28783220f
+  wip-manual-document-mt-safety-string.patch: 92527f1339cb3a36dcf9205dd9beee30d6ddf61c
+  wip-manual-document-mt-safety-terminal.patch: c7d4f8fa7082247cd3fc7df9be81db43d8ab58c8
+  wip-manual-document-mt-safety-threads.patch: 9c43a2b276badc905035a6b2e236c71505455f4e
+  wip-manual-document-mt-safety-time.patch: 92cf02f3b8f1ded1ab0b40e598db58d47798032f
 Unapplied:
-  manual-document-mt-safety-llio.patch: 8062c6db4730855258daa75bc0bc502e65b287d9
-  manual-document-mt-safety-stdio.patch: 9c1671ce52190da483b6ed123ca0c0a7024d1eb8
-  wip-manual-document-mt-safety-locale.patch: 5b196df6f05274d7d3fd4234ab11e9178803db7c
-  wip-manual-document-mt-safety-math.patch: ea2dbc48a6bc628804b250481195bfbad0d9a21b
-  wip-manual-document-mt-safety-startup.patch: 76e471e83914edb584ccb70db15f70f50f9ee13d
-  wip-manual-document-mt-safety-search.patch: d7ed3ad174a71581ec2932ab4a384c8266aec68f
-  wip-manual-document-mt-safety-resource.patch: a767734d6decbc515b2ce8685565558c574f1425
-  wip-manual-document-mt-safety-string.patch: b6e62ea39a43e0122e82c5090f6aba03894b4be2
-  wip-manual-document-mt-safety-terminal.patch: 275006e938dbc65a49bcb7e6da2a71e096da3834
-  wip-manual-document-mt-safety-threads.patch: 189493f2451b72c60eb8695626ffc08d7584b4f2
-  wip-manual-document-mt-safety-time.patch: b6437025912d8b67e3e8ecef23a518fa95899c33
 Hidden:
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 891b000..c87a4f8 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 85976e9026712b280af25c21b6bbad2161b83adc
-Top:    4b6492a76ca07bdd09694a3d815b525f7521be6e
+Bottom: fc738e25133a6fc7d7d322e4aaa73f98f45ee411
+Top:    70450337f67d11a45e01f8b02431ebb6673feb3e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index dd4e6a1..425de60 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 4b6492a76ca07bdd09694a3d815b525f7521be6e
-Top:    1e288609bd4b8602bc5c4017a4d64a5a266f5cf3
+Bottom: 70450337f67d11a45e01f8b02431ebb6673feb3e
+Top:    e752d10b13d788334efeca8df965648711f065b8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 5f8aa21..40ed885 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 1e288609bd4b8602bc5c4017a4d64a5a266f5cf3
-Top:    3f26707a55cc4b3743d8b20310060091a2722bf9
+Bottom: e752d10b13d788334efeca8df965648711f065b8
+Top:    266a8601bddcaf307b45fc05a4260787db0e6856
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 35f4e1e..65e5ca7 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 3f26707a55cc4b3743d8b20310060091a2722bf9
-Top:    a11c98df057934d5126974498680ca02e63cc81c
+Bottom: 266a8601bddcaf307b45fc05a4260787db0e6856
+Top:    70f620109a737254c3625806efb80fdaee04f15b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 69c8edf..b385d72 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 2f06c88f5e067c0ad69f34d0275014d09ff57a22
-Top:    29dcdfd1aff6c660e2916c04bc93e2e1e0a0b05f
+Bottom: 110587b84e839d24b49b06c72adac07e1b608d94
+Top:    6ffe7a66b2b3229a0286930c23a83d4d6d915933
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 81e4fc8..160c1f8 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 59d7e766f0565010748967e59406197c13ccae47
-Top:    2f06c88f5e067c0ad69f34d0275014d09ff57a22
+Bottom: 37185242102b30e75f0b0d0c5e7196aded93c284
+Top:    110587b84e839d24b49b06c72adac07e1b608d94
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 48ee6f2..fed6a93 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: a11c98df057934d5126974498680ca02e63cc81c
-Top:    59d7e766f0565010748967e59406197c13ccae47
+Bottom: 70f620109a737254c3625806efb80fdaee04f15b
+Top:    37185242102b30e75f0b0d0c5e7196aded93c284
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index bd701bf..552db1e 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 29dcdfd1aff6c660e2916c04bc93e2e1e0a0b05f
-Top:    6214ba87d46caf799e26d9dec166b0f306946143
+Bottom: 6ffe7a66b2b3229a0286930c23a83d4d6d915933
+Top:    6eb8d67c9bdb85dc5bab11e1d652794f9a53ce22
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:24 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 462849f..8a27596 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 6214ba87d46caf799e26d9dec166b0f306946143
-Top:    8ba6d8af046244985877511430d034165f4c58fc
+Bottom: 6eb8d67c9bdb85dc5bab11e1d652794f9a53ce22
+Top:    12f26fdb9cef342cad845ae75f3c0d8506505bf7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:53 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 9e05d78..dc5d838 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 8ba6d8af046244985877511430d034165f4c58fc
-Top:    fe5e48500cc7598452d5345c04173ce23157e134
+Bottom: 12f26fdb9cef342cad845ae75f3c0d8506505bf7
+Top:    8f34e176a621bbe4f96be6fefd72589012261428
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:35 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 82bbd95..43b3a63 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: fe5e48500cc7598452d5345c04173ce23157e134
-Top:    f9638e8d77bd09a6d39e04eb72367337c9d9e95a
+Bottom: 8f34e176a621bbe4f96be6fefd72589012261428
+Top:    6e96df8705d60c67a265fd5acf7f506fd67f4782
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:50 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=92cf02f3b8f1ded1ab0b40e598db58d47798032f

commit 92cf02f3b8f1ded1ab0b40e598db58d47798032f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9c43a2b276badc905035a6b2e236c71505455f4e

commit 9c43a2b276badc905035a6b2e236c71505455f4e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:35 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c7d4f8fa7082247cd3fc7df9be81db43d8ab58c8

commit c7d4f8fa7082247cd3fc7df9be81db43d8ab58c8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=92527f1339cb3a36dcf9205dd9beee30d6ddf61c

commit 92527f1339cb3a36dcf9205dd9beee30d6ddf61c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dbb35227cf0315c69f5a1194567dddd28783220f

commit dbb35227cf0315c69f5a1194567dddd28783220f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=efc52b412d2d5f65ac9ecaf68cda4e1162266950

commit efc52b412d2d5f65ac9ecaf68cda4e1162266950
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=504c5cdd62bacdeae9ba6f7550489a423eb8a67d

commit 504c5cdd62bacdeae9ba6f7550489a423eb8a67d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7920ad2e3774239d123ce62cd383720426b44135

commit 7920ad2e3774239d123ce62cd383720426b44135
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a82b9814d4f81db18ea5c553cd5dc5fbf31bdb1e

commit a82b9814d4f81db18ea5c553cd5dc5fbf31bdb1e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=572386734b3f9026025b6e60f2228c9f1ef0d4df

commit 572386734b3f9026025b6e60f2228c9f1ef0d4df
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=05c3b86470f7b78f9e514bd75ab3c578632a565e

commit 05c3b86470f7b78f9e514bd75ab3c578632a565e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..c350585 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,6 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
@@ -1089,6 +1122,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1187,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1307,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1326,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1353,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1401,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1450,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1577,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1585,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1597,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1609,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1622,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1728,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1744,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1782,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1984,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2201,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2220,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2287,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2309,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2398,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2427,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2449,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2463,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2487,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2516,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2566,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2593,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2634,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2662,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2719,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2775,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2811,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2894,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2903,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3882,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3902,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9992d089f12b96c05738ef8524aa16917cbee72a

commit 9992d089f12b96c05738ef8524aa16917cbee72a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2f5054826615e2e6fc557b9aff0c1a4902a09c44

commit 2f5054826615e2e6fc557b9aff0c1a4902a09c44
Merge: d07b235 5de7ed3 707a7ab
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:48 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d07b2357bf8b454d3bd8eda92712fc82c584bbed

commit d07b2357bf8b454d3bd8eda92712fc82c584bbed
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:48 2013 -0300

    push

diff --git a/meta b/meta
index 9b2186f..8461e75 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: abd4a6204043df6d8d24d5b81f86b9d4d6b8fd81
-Head: 1da38dc05daeed4e2d77f2923bb588bf259a7549
+Previous: 707a7abaa781a9a10ad887ff54cde0f90ed0e769
+Head: 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -18,8 +18,8 @@ Applied:
   manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
   manual-document-mt-safety-job.patch: 1da38dc05daeed4e2d77f2923bb588bf259a7549
+  manual-document-mt-safety-lang.patch: 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
 Unapplied:
-  manual-document-mt-safety-lang.patch: 41141365901b63e8e55ec323d5ee88c0a5815b44
   manual-document-mt-safety-llio.patch: 8062c6db4730855258daa75bc0bc502e65b287d9
   manual-document-mt-safety-stdio.patch: 9c1671ce52190da483b6ed123ca0c0a7024d1eb8
   wip-manual-document-mt-safety-locale.patch: 5b196df6f05274d7d3fd4234ab11e9178803db7c
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 21a368c..4c352a3 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: 03e8d59af8e96de25460c03f60f6c5cc1a8c30d4
-Top:    85976e9026712b280af25c21b6bbad2161b83adc
+Bottom: c154c087966f912177b97ba1d21240ba8d015145
+Top:    fc738e25133a6fc7d7d322e4aaa73f98f45ee411
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5de7ed36be7b0c688b7b7b04bad5201b02ea50f0

commit 5de7ed36be7b0c688b7b7b04bad5201b02ea50f0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=707a7abaa781a9a10ad887ff54cde0f90ed0e769

commit 707a7abaa781a9a10ad887ff54cde0f90ed0e769
Merge: 5f28a96 abd4a62 1da38dc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:46 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5f28a96b61497665aaf2192a8b7f14cbc12424bc

commit 5f28a96b61497665aaf2192a8b7f14cbc12424bc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:46 2013 -0300

    refresh

diff --git a/meta b/meta
index 7856690..9b2186f 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: fecbbf3ca724921c2abe44f2d591f869a284a1fc
-Head: 557ddf1f9c8d2be5bb5344391e1c2c6e3828eaab
+Previous: abd4a6204043df6d8d24d5b81f86b9d4d6b8fd81
+Head: 1da38dc05daeed4e2d77f2923bb588bf259a7549
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -17,8 +17,7 @@ Applied:
   manual-document-mt-safety-filesys.patch: 48a6b75fc25dc87bedc75d3fdfc131da890b7f4b
   manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
-  manual-document-mt-safety-job.patch: 4d2559566ff7755a036f856a9b4b701bafb4cc66
-  refresh-temp: 557ddf1f9c8d2be5bb5344391e1c2c6e3828eaab
+  manual-document-mt-safety-job.patch: 1da38dc05daeed4e2d77f2923bb588bf259a7549
 Unapplied:
   manual-document-mt-safety-lang.patch: 41141365901b63e8e55ec323d5ee88c0a5815b44
   manual-document-mt-safety-llio.patch: 8062c6db4730855258daa75bc0bc502e65b287d9
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index 4195aa0..dd27713 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
 Bottom: 6e873142fc9dc8e6673808013c93d2c58ce98443
-Top:    03e8d59af8e96de25460c03f60f6c5cc1a8c30d4
+Top:    c154c087966f912177b97ba1d21240ba8d015145
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/job.texi b/manual/job.texi
-index 4efeed3..779ea96 100644
+index 4efeed3..2c46771 100644
 --- a/manual/job.texi
 +++ b/manual/job.texi
 @@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
@@ -39,17 +39,16 @@ index 4efeed3..779ea96 100644
  The @code{setsid} function creates a new session.  The calling process
  becomes the session leader, and is put in a new process group whose
  process group ID is the same as the process ID of that process.  There
-@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
+@@ -1098,6 +1107,8 @@ already another process group around that has the same process group ID.
  @comment unistd.h
  @comment SVID
  @deftypefun pid_t getsid (pid_t @var{pid})
--
 +@safety{@mtsafe{}@assafe{}@acsafe{}}
 +@c Stub or direct syscall, except on hurd, where it is equally safe.
+ 
  The @code{getsid} function returns the process group ID of the session
  leader of the specified process.  If a @var{pid} is @code{0}, the
- process group ID of the session leader of the current process is
-@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
+@@ -1134,6 +1145,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
  @comment unistd.h
  @comment POSIX.1
  @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
@@ -58,7 +57,7 @@ index 4efeed3..779ea96 100644
  The POSIX.1 definition of @code{getpgrp} returns the process group ID of
  the calling process.
  @end deftypefn
-@@ -1141,6 +1153,8 @@ the calling process.
+@@ -1141,6 +1154,8 @@ the calling process.
  @comment unistd.h
  @comment BSD
  @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
@@ -67,7 +66,7 @@ index 4efeed3..779ea96 100644
  The BSD definition of @code{getpgrp} returns the process group ID of the
  process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
  argument to get information about the calling process.
-@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
+@@ -1149,6 +1164,8 @@ argument to get information about the calling process.
  @comment unistd.h
  @comment SVID
  @deftypefn {System V Function} int getpgid (pid_t @var{pid})
@@ -76,7 +75,7 @@ index 4efeed3..779ea96 100644
  
  @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
  returns the process group ID of the process @var{pid}.  You can supply a
-@@ -1171,6 +1187,8 @@ process.
+@@ -1171,6 +1188,8 @@ process.
  @comment unistd.h
  @comment POSIX.1
  @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
@@ -85,7 +84,7 @@ index 4efeed3..779ea96 100644
  The @code{setpgid} function puts the process @var{pid} into the process
  group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
  be zero to indicate the process ID of the calling process.
-@@ -1208,6 +1226,8 @@ process or a child of the calling process.
+@@ -1208,6 +1227,8 @@ process or a child of the calling process.
  @comment unistd.h
  @comment BSD
  @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
@@ -94,7 +93,7 @@ index 4efeed3..779ea96 100644
  This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
  the same thing.
  @end deftypefun
-@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
+@@ -1230,6 +1251,8 @@ file itself and not a particular open file descriptor.
  @comment unistd.h
  @comment POSIX.1
  @deftypefun pid_t tcgetpgrp (int @var{filedes})
@@ -103,7 +102,7 @@ index 4efeed3..779ea96 100644
  This function returns the process group ID of the foreground process
  group associated with the terminal open on descriptor @var{filedes}.
  
-@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
+@@ -1258,6 +1281,8 @@ controlling terminal of the calling process.
  @comment unistd.h
  @comment POSIX.1
  @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
@@ -112,7 +111,7 @@ index 4efeed3..779ea96 100644
  This function is used to set a terminal's foreground process group ID.
  The argument @var{filedes} is a descriptor which specifies the terminal;
  @var{pgid} specifies the process group.  The calling process must be a
-@@ -1297,6 +1321,8 @@ process.
+@@ -1297,6 +1322,8 @@ process.
  @comment termios.h
  @comment Unix98
  @deftypefun pid_t tcgetsid (int @var{fildes})
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 8491209..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,21 +0,0 @@
-Bottom: 03e8d59af8e96de25460c03f60f6c5cc1a8c30d4
-Top:    c154c087966f912177b97ba1d21240ba8d015145
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:16:45 -0300
-
-Refresh of manual-document-mt-safety-job.patch
-
----
-
-diff --git a/manual/job.texi b/manual/job.texi
-index 779ea96..2c46771 100644
---- a/manual/job.texi
-+++ b/manual/job.texi
-@@ -1109,6 +1109,7 @@ already another process group around that has the same process group ID.
- @deftypefun pid_t getsid (pid_t @var{pid})
- @safety{@mtsafe{}@assafe{}@acsafe{}}
- @c Stub or direct syscall, except on hurd, where it is equally safe.
-+
- The @code{getsid} function returns the process group ID of the session
- leader of the specified process.  If a @var{pid} is @code{0}, the
- process group ID of the session leader of the current process is

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=abd4a6204043df6d8d24d5b81f86b9d4d6b8fd81

commit abd4a6204043df6d8d24d5b81f86b9d4d6b8fd81
Merge: a3d3ce2 fecbbf3 557ddf1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:46 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a3d3ce2b4e55a442b9b325ec250e436b409b35c9

commit a3d3ce2b4e55a442b9b325ec250e436b409b35c9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:46 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 5e6583f..7856690 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 0f8b761b3aec9a666a413c639b2774027e0597fe
-Head: 4d2559566ff7755a036f856a9b4b701bafb4cc66
+Previous: fecbbf3ca724921c2abe44f2d591f869a284a1fc
+Head: 557ddf1f9c8d2be5bb5344391e1c2c6e3828eaab
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -18,6 +18,7 @@ Applied:
   manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
   manual-document-mt-safety-job.patch: 4d2559566ff7755a036f856a9b4b701bafb4cc66
+  refresh-temp: 557ddf1f9c8d2be5bb5344391e1c2c6e3828eaab
 Unapplied:
   manual-document-mt-safety-lang.patch: 41141365901b63e8e55ec323d5ee88c0a5815b44
   manual-document-mt-safety-llio.patch: 8062c6db4730855258daa75bc0bc502e65b287d9
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..8491209
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,21 @@
+Bottom: 03e8d59af8e96de25460c03f60f6c5cc1a8c30d4
+Top:    c154c087966f912177b97ba1d21240ba8d015145
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-16 04:16:45 -0300
+
+Refresh of manual-document-mt-safety-job.patch
+
+---
+
+diff --git a/manual/job.texi b/manual/job.texi
+index 779ea96..2c46771 100644
+--- a/manual/job.texi
++++ b/manual/job.texi
+@@ -1109,6 +1109,7 @@ already another process group around that has the same process group ID.
+ @deftypefun pid_t getsid (pid_t @var{pid})
+ @safety{@mtsafe{}@assafe{}@acsafe{}}
+ @c Stub or direct syscall, except on hurd, where it is equally safe.
++
+ The @code{getsid} function returns the process group ID of the session
+ leader of the specified process.  If a @var{pid} is @code{0}, the
+ process group ID of the session leader of the current process is

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=557ddf1f9c8d2be5bb5344391e1c2c6e3828eaab

commit 557ddf1f9c8d2be5bb5344391e1c2c6e3828eaab
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:45 2013 -0300

    Refresh of manual-document-mt-safety-job.patch

diff --git a/manual/job.texi b/manual/job.texi
index 779ea96..2c46771 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1109,6 +1109,7 @@ already another process group around that has the same process group ID.
 @deftypefun pid_t getsid (pid_t @var{pid})
 @safety{@mtsafe{}@assafe{}@acsafe{}}
 @c Stub or direct syscall, except on hurd, where it is equally safe.
+
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fecbbf3ca724921c2abe44f2d591f869a284a1fc

commit fecbbf3ca724921c2abe44f2d591f869a284a1fc
Merge: 2b498ca 0f8b761
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:33 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2b498ca9106f6940b55e89dc375a4c5d8193a5ac

commit 2b498ca9106f6940b55e89dc375a4c5d8193a5ac
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:16:33 2013 -0300

    goto

diff --git a/meta b/meta
index 970df3a..5e6583f 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 4d53ec8a1a42816f64ee5b97d51b7f51ea3e9663
-Head: b6437025912d8b67e3e8ecef23a518fa95899c33
+Previous: 0f8b761b3aec9a666a413c639b2774027e0597fe
+Head: 4d2559566ff7755a036f856a9b4b701bafb4cc66
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -18,6 +18,7 @@ Applied:
   manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
   manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
   manual-document-mt-safety-job.patch: 4d2559566ff7755a036f856a9b4b701bafb4cc66
+Unapplied:
   manual-document-mt-safety-lang.patch: 41141365901b63e8e55ec323d5ee88c0a5815b44
   manual-document-mt-safety-llio.patch: 8062c6db4730855258daa75bc0bc502e65b287d9
   manual-document-mt-safety-stdio.patch: 9c1671ce52190da483b6ed123ca0c0a7024d1eb8
@@ -30,5 +31,4 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 275006e938dbc65a49bcb7e6da2a71e096da3834
   wip-manual-document-mt-safety-threads.patch: 189493f2451b72c60eb8695626ffc08d7584b4f2
   wip-manual-document-mt-safety-time.patch: b6437025912d8b67e3e8ecef23a518fa95899c33
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0f8b761b3aec9a666a413c639b2774027e0597fe

commit 0f8b761b3aec9a666a413c639b2774027e0597fe
Merge: 86e1630 b643702 4d53ec8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:11:43 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=86e163092dbc8617c672238f249a3027675801fb

commit 86e163092dbc8617c672238f249a3027675801fb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:11:43 2013 -0300

    push

diff --git a/meta b/meta
index c8e9e17..970df3a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: db3f6f7ec0cc08d37a11bea4a290aee1c82e7a19
-Head: 48a6b75fc25dc87bedc75d3fdfc131da890b7f4b
+Previous: 4d53ec8a1a42816f64ee5b97d51b7f51ea3e9663
+Head: b6437025912d8b67e3e8ecef23a518fa95899c33
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -15,20 +15,20 @@ Applied:
   manual-document-mt-safety-debug.patch: 2851febd94cec0ec11937f681c65ada586f9a223
   manual-document-mt-safety-errno.patch: 06af1d5ee2d283ef4da1ec4190dd42b9bd9e5e53
   manual-document-mt-safety-filesys.patch: 48a6b75fc25dc87bedc75d3fdfc131da890b7f4b
+  manual-document-mt-safety-getopt.patch: fef40984ed247dfb08395088c2518fd52154e035
+  manual-document-mt-safety-libdl.patch: 3816c6c49233e9317ec22c571867fb8ff95c1edd
+  manual-document-mt-safety-job.patch: 4d2559566ff7755a036f856a9b4b701bafb4cc66
+  manual-document-mt-safety-lang.patch: 41141365901b63e8e55ec323d5ee88c0a5815b44
+  manual-document-mt-safety-llio.patch: 8062c6db4730855258daa75bc0bc502e65b287d9
+  manual-document-mt-safety-stdio.patch: 9c1671ce52190da483b6ed123ca0c0a7024d1eb8
+  wip-manual-document-mt-safety-locale.patch: 5b196df6f05274d7d3fd4234ab11e9178803db7c
+  wip-manual-document-mt-safety-math.patch: ea2dbc48a6bc628804b250481195bfbad0d9a21b
+  wip-manual-document-mt-safety-startup.patch: 76e471e83914edb584ccb70db15f70f50f9ee13d
+  wip-manual-document-mt-safety-search.patch: d7ed3ad174a71581ec2932ab4a384c8266aec68f
+  wip-manual-document-mt-safety-resource.patch: a767734d6decbc515b2ce8685565558c574f1425
+  wip-manual-document-mt-safety-string.patch: b6e62ea39a43e0122e82c5090f6aba03894b4be2
+  wip-manual-document-mt-safety-terminal.patch: 275006e938dbc65a49bcb7e6da2a71e096da3834
+  wip-manual-document-mt-safety-threads.patch: 189493f2451b72c60eb8695626ffc08d7584b4f2
+  wip-manual-document-mt-safety-time.patch: b6437025912d8b67e3e8ecef23a518fa95899c33
 Unapplied:
-  manual-document-mt-safety-getopt.patch: fd1ab5961b60c8bc5524617aba67528f45c035be
-  manual-document-mt-safety-libdl.patch: 59b1677a250033e8588a31f175a0457967e20bce
-  manual-document-mt-safety-job.patch: 3511ea8a2e073e03029c05ac857b8ba78d4120f3
-  manual-document-mt-safety-lang.patch: af8d731747f880cbc9dcd12a20c33ae29807081a
-  manual-document-mt-safety-llio.patch: c96f5dd7f4dc623d8e1b4d963da947d190b385a3
-  manual-document-mt-safety-stdio.patch: b8d40c34db5a32a436bd3d93fbced3f277277bdd
-  wip-manual-document-mt-safety-locale.patch: 525104cbc058b86bed62e4c6ac9d61801d8aac30
-  wip-manual-document-mt-safety-math.patch: 12c7558599b93d105e50a3a4d4d37b45916653dd
-  wip-manual-document-mt-safety-startup.patch: 06bca383d921a436fed841e86912f4c68c94bc52
-  wip-manual-document-mt-safety-search.patch: 0e431a68abd2c68670bca4adad2da412e57ba322
-  wip-manual-document-mt-safety-resource.patch: 9cb1a05651f366cb988e33e60261150697da50e9
-  wip-manual-document-mt-safety-string.patch: 3ceb98893b8304c17d1075fd08cc2c16925d8d26
-  wip-manual-document-mt-safety-terminal.patch: ff0748435327d4fc62cd344c4fed5b1b7c1175c3
-  wip-manual-document-mt-safety-threads.patch: e19104d821eb2d831d8f4fbe98ecbe0cb7a58fab
-  wip-manual-document-mt-safety-time.patch: 9d411555a9f7a2c4dcb353975d41c709ad030271
 Hidden:
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index 21aaf24..2b8d8e9 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: 37e7ccc382017c5f5e221e651c5ece331c8757be
-Top:    744f8962aaf3b4e0b439ff3bb97be69bad525f36
+Bottom: cdc226230e45430773c967a5b19e606c9ac5c26c
+Top:    c68359c7dd9923875b40cb6b3e88ccee074aa1cf
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:36 -0300
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index 3b8f840..4195aa0 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: 62741c4a3c56289629f1e10d0ec4ca2298d5cb0d
-Top:    efa976ea477ad9e56917b73191483a62a134045e
+Bottom: 6e873142fc9dc8e6673808013c93d2c58ce98443
+Top:    03e8d59af8e96de25460c03f60f6c5cc1a8c30d4
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 2cda9f9..21a368c 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: efa976ea477ad9e56917b73191483a62a134045e
-Top:    194f0145ab08733f32fe10b68753b31e84e74328
+Bottom: 03e8d59af8e96de25460c03f60f6c5cc1a8c30d4
+Top:    85976e9026712b280af25c21b6bbad2161b83adc
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 73a0c1b..8a38019 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: 744f8962aaf3b4e0b439ff3bb97be69bad525f36
-Top:    62741c4a3c56289629f1e10d0ec4ca2298d5cb0d
+Bottom: c68359c7dd9923875b40cb6b3e88ccee074aa1cf
+Top:    6e873142fc9dc8e6673808013c93d2c58ce98443
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 26621ee..891b000 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 194f0145ab08733f32fe10b68753b31e84e74328
-Top:    e78f0a6ed4ced2836717f8bea7d382a8ba7b66dc
+Bottom: 85976e9026712b280af25c21b6bbad2161b83adc
+Top:    4b6492a76ca07bdd09694a3d815b525f7521be6e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 7824650..dd4e6a1 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: e78f0a6ed4ced2836717f8bea7d382a8ba7b66dc
-Top:    4cbba3b6cb190622784c66924c44ac57e1c5312f
+Bottom: 4b6492a76ca07bdd09694a3d815b525f7521be6e
+Top:    1e288609bd4b8602bc5c4017a4d64a5a266f5cf3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 5aa2088..5f8aa21 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 4cbba3b6cb190622784c66924c44ac57e1c5312f
-Top:    b157aa1f6755cd6bd70effcad95e6cfb3c7ad9c1
+Bottom: 1e288609bd4b8602bc5c4017a4d64a5a266f5cf3
+Top:    3f26707a55cc4b3743d8b20310060091a2722bf9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 8441128..35f4e1e 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: b157aa1f6755cd6bd70effcad95e6cfb3c7ad9c1
-Top:    20b8dc675fa6dbba870f66329160337c64509ee0
+Bottom: 3f26707a55cc4b3743d8b20310060091a2722bf9
+Top:    a11c98df057934d5126974498680ca02e63cc81c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index f664e38..69c8edf 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: e4e3f5e2330e3ac6c7eae975de280f1ba8ac3479
-Top:    4b5aea59fb7148ab8339fe9c5c2fd40de20acca5
+Bottom: 2f06c88f5e067c0ad69f34d0275014d09ff57a22
+Top:    29dcdfd1aff6c660e2916c04bc93e2e1e0a0b05f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index b0190ba..81e4fc8 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 3898f41755498b36b7cd3566b90ad4f629ada674
-Top:    e4e3f5e2330e3ac6c7eae975de280f1ba8ac3479
+Bottom: 59d7e766f0565010748967e59406197c13ccae47
+Top:    2f06c88f5e067c0ad69f34d0275014d09ff57a22
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 01b8303..48ee6f2 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 20b8dc675fa6dbba870f66329160337c64509ee0
-Top:    3898f41755498b36b7cd3566b90ad4f629ada674
+Bottom: a11c98df057934d5126974498680ca02e63cc81c
+Top:    59d7e766f0565010748967e59406197c13ccae47
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 16834fc..bd701bf 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 4b5aea59fb7148ab8339fe9c5c2fd40de20acca5
-Top:    e42edee8bf1594adf7e7cfa49e197c47dcc76264
+Bottom: 29dcdfd1aff6c660e2916c04bc93e2e1e0a0b05f
+Top:    6214ba87d46caf799e26d9dec166b0f306946143
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:24 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 08a9893..462849f 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: e42edee8bf1594adf7e7cfa49e197c47dcc76264
-Top:    a97217eae5c86c40da7508a90d5a8507080e1488
+Bottom: 6214ba87d46caf799e26d9dec166b0f306946143
+Top:    8ba6d8af046244985877511430d034165f4c58fc
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:53 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index dd9a78f..9e05d78 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: a97217eae5c86c40da7508a90d5a8507080e1488
-Top:    17d31f44b33a4efa3757560f8fab8834bd4d2d67
+Bottom: 8ba6d8af046244985877511430d034165f4c58fc
+Top:    fe5e48500cc7598452d5345c04173ce23157e134
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:35 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index e96627a..82bbd95 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 17d31f44b33a4efa3757560f8fab8834bd4d2d67
-Top:    ff509c08ed1dd9e766ab81dadd88d49d2c479857
+Bottom: fe5e48500cc7598452d5345c04173ce23157e134
+Top:    f9638e8d77bd09a6d39e04eb72367337c9d9e95a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:50 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1da38dc05daeed4e2d77f2923bb588bf259a7549

commit 1da38dc05daeed4e2d77f2923bb588bf259a7549
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..2c46771 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,6 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
@@ -1134,6 +1145,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1154,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1164,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1188,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1227,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1251,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1281,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1322,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4d2559566ff7755a036f856a9b4b701bafb4cc66

commit 4d2559566ff7755a036f856a9b4b701bafb4cc66
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b6437025912d8b67e3e8ecef23a518fa95899c33

commit b6437025912d8b67e3e8ecef23a518fa95899c33
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3816c6c49233e9317ec22c571867fb8ff95c1edd

commit 3816c6c49233e9317ec22c571867fb8ff95c1edd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=189493f2451b72c60eb8695626ffc08d7584b4f2

commit 189493f2451b72c60eb8695626ffc08d7584b4f2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:35 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=275006e938dbc65a49bcb7e6da2a71e096da3834

commit 275006e938dbc65a49bcb7e6da2a71e096da3834
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b6e62ea39a43e0122e82c5090f6aba03894b4be2

commit b6e62ea39a43e0122e82c5090f6aba03894b4be2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a767734d6decbc515b2ce8685565558c574f1425

commit a767734d6decbc515b2ce8685565558c574f1425
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d7ed3ad174a71581ec2932ab4a384c8266aec68f

commit d7ed3ad174a71581ec2932ab4a384c8266aec68f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=76e471e83914edb584ccb70db15f70f50f9ee13d

commit 76e471e83914edb584ccb70db15f70f50f9ee13d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ea2dbc48a6bc628804b250481195bfbad0d9a21b

commit ea2dbc48a6bc628804b250481195bfbad0d9a21b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5b196df6f05274d7d3fd4234ab11e9178803db7c

commit 5b196df6f05274d7d3fd4234ab11e9178803db7c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9c1671ce52190da483b6ed123ca0c0a7024d1eb8

commit 9c1671ce52190da483b6ed123ca0c0a7024d1eb8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8062c6db4730855258daa75bc0bc502e65b287d9

commit 8062c6db4730855258daa75bc0bc502e65b287d9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=41141365901b63e8e55ec323d5ee88c0a5815b44

commit 41141365901b63e8e55ec323d5ee88c0a5815b44
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fef40984ed247dfb08395088c2518fd52154e035

commit fef40984ed247dfb08395088c2518fd52154e035
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:36 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4d53ec8a1a42816f64ee5b97d51b7f51ea3e9663

commit 4d53ec8a1a42816f64ee5b97d51b7f51ea3e9663
Merge: 8d50f4f db3f6f7 48a6b75
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:11:37 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8d50f4f675d63f9144c706b0835d9f47a831d924

commit 8d50f4f675d63f9144c706b0835d9f47a831d924
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:11:37 2013 -0300

    refresh

diff --git a/meta b/meta
index 1623c59..c8e9e17 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: f899ee2d78b22489d575d37a039da9a79959fbad
-Head: c5d2a98afcd5b27008893205a63f779f17aff7d4
+Previous: db3f6f7ec0cc08d37a11bea4a290aee1c82e7a19
+Head: 48a6b75fc25dc87bedc75d3fdfc131da890b7f4b
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -14,8 +14,7 @@ Applied:
   manual-document-mt-safety-ctype.patch: 1d9117d74990d3b2c143fd888d1435b627116a49
   manual-document-mt-safety-debug.patch: 2851febd94cec0ec11937f681c65ada586f9a223
   manual-document-mt-safety-errno.patch: 06af1d5ee2d283ef4da1ec4190dd42b9bd9e5e53
-  manual-document-mt-safety-filesys.patch: c94ff62dad7a91e0eafa7bac91d3c36ccb138936
-  refresh-temp: c5d2a98afcd5b27008893205a63f779f17aff7d4
+  manual-document-mt-safety-filesys.patch: 48a6b75fc25dc87bedc75d3fdfc131da890b7f4b
 Unapplied:
   manual-document-mt-safety-getopt.patch: fd1ab5961b60c8bc5524617aba67528f45c035be
   manual-document-mt-safety-libdl.patch: 59b1677a250033e8588a31f175a0457967e20bce
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 5c7af93..f1fe08e 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
 Bottom: 1ff2a8e59e8b9699588c78ee345f4d6ed95eb078
-Top:    37e7ccc382017c5f5e221e651c5ece331c8757be
+Top:    cdc226230e45430773c967a5b19e606c9ac5c26c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:03 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 1df9cf2..47176cc 100644
+index 1df9cf2..b5b6630 100644
 --- a/manual/filesys.texi
 +++ b/manual/filesys.texi
 @@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
@@ -773,7 +773,7 @@ index 1df9cf2..47176cc 100644
 +@c fchmodat
 +@c fchownat
 +@c futimesat
-+@c fstatat
++@c fstatat (there's a commented-out safety assessment for this one)
 +@c linkat
 +@c mkdirat
 +@c mkfifoat
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index ba78439..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,22 +0,0 @@
-Bottom: 37e7ccc382017c5f5e221e651c5ece331c8757be
-Top:    cdc226230e45430773c967a5b19e606c9ac5c26c
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:11:37 -0300
-
-Refresh of manual-document-mt-safety-filesys.patch
-
----
-
-diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 47176cc..b5b6630 100644
---- a/manual/filesys.texi
-+++ b/manual/filesys.texi
-@@ -3523,7 +3523,7 @@ The @code{mkdtemp} function comes from OpenBSD.
- @c fchmodat
- @c fchownat
- @c futimesat
--@c fstatat
-+@c fstatat (there's a commented-out safety assessment for this one)
- @c linkat
- @c mkdirat
- @c mkfifoat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=db3f6f7ec0cc08d37a11bea4a290aee1c82e7a19

commit db3f6f7ec0cc08d37a11bea4a290aee1c82e7a19
Merge: c35b583 f899ee2 c5d2a98
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:11:37 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c35b583378f2041da1b8b5e87fa79b02998d43e4

commit c35b583378f2041da1b8b5e87fa79b02998d43e4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:11:37 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index e9a79ed..1623c59 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 2dbeabc90d3187cb757660ab99b1aac6dbe2a766
-Head: c94ff62dad7a91e0eafa7bac91d3c36ccb138936
+Previous: f899ee2d78b22489d575d37a039da9a79959fbad
+Head: c5d2a98afcd5b27008893205a63f779f17aff7d4
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -15,6 +15,7 @@ Applied:
   manual-document-mt-safety-debug.patch: 2851febd94cec0ec11937f681c65ada586f9a223
   manual-document-mt-safety-errno.patch: 06af1d5ee2d283ef4da1ec4190dd42b9bd9e5e53
   manual-document-mt-safety-filesys.patch: c94ff62dad7a91e0eafa7bac91d3c36ccb138936
+  refresh-temp: c5d2a98afcd5b27008893205a63f779f17aff7d4
 Unapplied:
   manual-document-mt-safety-getopt.patch: fd1ab5961b60c8bc5524617aba67528f45c035be
   manual-document-mt-safety-libdl.patch: 59b1677a250033e8588a31f175a0457967e20bce
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..ba78439
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,22 @@
+Bottom: 37e7ccc382017c5f5e221e651c5ece331c8757be
+Top:    cdc226230e45430773c967a5b19e606c9ac5c26c
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-16 04:11:37 -0300
+
+Refresh of manual-document-mt-safety-filesys.patch
+
+---
+
+diff --git a/manual/filesys.texi b/manual/filesys.texi
+index 47176cc..b5b6630 100644
+--- a/manual/filesys.texi
++++ b/manual/filesys.texi
+@@ -3523,7 +3523,7 @@ The @code{mkdtemp} function comes from OpenBSD.
+ @c fchmodat
+ @c fchownat
+ @c futimesat
+-@c fstatat
++@c fstatat (there's a commented-out safety assessment for this one)
+ @c linkat
+ @c mkdirat
+ @c mkfifoat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c5d2a98afcd5b27008893205a63f779f17aff7d4

commit c5d2a98afcd5b27008893205a63f779f17aff7d4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:11:37 2013 -0300

    Refresh of manual-document-mt-safety-filesys.patch

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 47176cc..b5b6630 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -3523,7 +3523,7 @@ The @code{mkdtemp} function comes from OpenBSD.
 @c fchmodat
 @c fchownat
 @c futimesat
-@c fstatat
+@c fstatat (there's a commented-out safety assessment for this one)
 @c linkat
 @c mkdirat
 @c mkfifoat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f899ee2d78b22489d575d37a039da9a79959fbad

commit f899ee2d78b22489d575d37a039da9a79959fbad
Merge: 4561e8e 2dbeabc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:10:59 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4561e8e3cd92e0a070af55556ddd975c302297a5

commit 4561e8e3cd92e0a070af55556ddd975c302297a5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:10:59 2013 -0300

    goto

diff --git a/meta b/meta
index c4aecea..e9a79ed 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 33bb3dca5b8ad25784eef98bd49ac57d641a8459
-Head: 9d411555a9f7a2c4dcb353975d41c709ad030271
+Previous: 2dbeabc90d3187cb757660ab99b1aac6dbe2a766
+Head: c94ff62dad7a91e0eafa7bac91d3c36ccb138936
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -15,6 +15,7 @@ Applied:
   manual-document-mt-safety-debug.patch: 2851febd94cec0ec11937f681c65ada586f9a223
   manual-document-mt-safety-errno.patch: 06af1d5ee2d283ef4da1ec4190dd42b9bd9e5e53
   manual-document-mt-safety-filesys.patch: c94ff62dad7a91e0eafa7bac91d3c36ccb138936
+Unapplied:
   manual-document-mt-safety-getopt.patch: fd1ab5961b60c8bc5524617aba67528f45c035be
   manual-document-mt-safety-libdl.patch: 59b1677a250033e8588a31f175a0457967e20bce
   manual-document-mt-safety-job.patch: 3511ea8a2e073e03029c05ac857b8ba78d4120f3
@@ -30,5 +31,4 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: ff0748435327d4fc62cd344c4fed5b1b7c1175c3
   wip-manual-document-mt-safety-threads.patch: e19104d821eb2d831d8f4fbe98ecbe0cb7a58fab
   wip-manual-document-mt-safety-time.patch: 9d411555a9f7a2c4dcb353975d41c709ad030271
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2dbeabc90d3187cb757660ab99b1aac6dbe2a766

commit 2dbeabc90d3187cb757660ab99b1aac6dbe2a766
Merge: fa8bc10 9d41155 33bb3dc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:08:46 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fa8bc10405cc1c1477c274b5a16e580f27ed27ba

commit fa8bc10405cc1c1477c274b5a16e580f27ed27ba
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:08:46 2013 -0300

    push

diff --git a/meta b/meta
index 823da90..c4aecea 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 283e6d9258890d6620ff2843ae0d6827e23eab48
-Head: dabcbeb1f646a611c3e18db1dbf0d317276c5fbc
+Previous: 33bb3dca5b8ad25784eef98bd49ac57d641a8459
+Head: 9d411555a9f7a2c4dcb353975d41c709ad030271
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -11,24 +11,24 @@ Applied:
   manual-document-mt-safety-charset.patch: d739c28d7512bc43968ecc860a2501aeb2b38862
   manual-document-mt-safety-conf.patch: 30f1f3822b1f3a1e8a69529880d4e8e924a3d35a
   manual-document-mt-safety-crypt.patch: dabcbeb1f646a611c3e18db1dbf0d317276c5fbc
+  manual-document-mt-safety-ctype.patch: 1d9117d74990d3b2c143fd888d1435b627116a49
+  manual-document-mt-safety-debug.patch: 2851febd94cec0ec11937f681c65ada586f9a223
+  manual-document-mt-safety-errno.patch: 06af1d5ee2d283ef4da1ec4190dd42b9bd9e5e53
+  manual-document-mt-safety-filesys.patch: c94ff62dad7a91e0eafa7bac91d3c36ccb138936
+  manual-document-mt-safety-getopt.patch: fd1ab5961b60c8bc5524617aba67528f45c035be
+  manual-document-mt-safety-libdl.patch: 59b1677a250033e8588a31f175a0457967e20bce
+  manual-document-mt-safety-job.patch: 3511ea8a2e073e03029c05ac857b8ba78d4120f3
+  manual-document-mt-safety-lang.patch: af8d731747f880cbc9dcd12a20c33ae29807081a
+  manual-document-mt-safety-llio.patch: c96f5dd7f4dc623d8e1b4d963da947d190b385a3
+  manual-document-mt-safety-stdio.patch: b8d40c34db5a32a436bd3d93fbced3f277277bdd
+  wip-manual-document-mt-safety-locale.patch: 525104cbc058b86bed62e4c6ac9d61801d8aac30
+  wip-manual-document-mt-safety-math.patch: 12c7558599b93d105e50a3a4d4d37b45916653dd
+  wip-manual-document-mt-safety-startup.patch: 06bca383d921a436fed841e86912f4c68c94bc52
+  wip-manual-document-mt-safety-search.patch: 0e431a68abd2c68670bca4adad2da412e57ba322
+  wip-manual-document-mt-safety-resource.patch: 9cb1a05651f366cb988e33e60261150697da50e9
+  wip-manual-document-mt-safety-string.patch: 3ceb98893b8304c17d1075fd08cc2c16925d8d26
+  wip-manual-document-mt-safety-terminal.patch: ff0748435327d4fc62cd344c4fed5b1b7c1175c3
+  wip-manual-document-mt-safety-threads.patch: e19104d821eb2d831d8f4fbe98ecbe0cb7a58fab
+  wip-manual-document-mt-safety-time.patch: 9d411555a9f7a2c4dcb353975d41c709ad030271
 Unapplied:
-  manual-document-mt-safety-ctype.patch: dc003e9af2abd847740effc6ffb70ad00be9756f
-  manual-document-mt-safety-debug.patch: d4f225eef42541dc480740f9943bfb95af1ac6ea
-  manual-document-mt-safety-errno.patch: 4fad6857b15ad881c5a287349a0d13c093605336
-  manual-document-mt-safety-filesys.patch: f77283b4b552daf9def0c190fccc5f5c4387068c
-  manual-document-mt-safety-getopt.patch: e6721bc24292e81decca229364fe5d9c3c6ea71d
-  manual-document-mt-safety-libdl.patch: 39277bc7d9f8f88e3250ebf2bab380fd90c64d1d
-  manual-document-mt-safety-job.patch: 206f4e754558d0c111d9b727285bf9d6c4b86598
-  manual-document-mt-safety-lang.patch: 443d8e06a844671359ebf35dba1211a3178ee4ad
-  manual-document-mt-safety-llio.patch: 40291dd9759713efc7236398de48112816f0f3d6
-  manual-document-mt-safety-stdio.patch: e3c55c602e828c608f1f6230e75ecbb2416caf16
-  wip-manual-document-mt-safety-locale.patch: 7ee91213d3fc5f11dd4cc39b0abcc7e4c2e4dd23
-  wip-manual-document-mt-safety-math.patch: 22e6f0a3bcaca29f27609644baf5fea9a4175248
-  wip-manual-document-mt-safety-startup.patch: 2041cdf01d0056eaf965a1eb716d32880a7d63fe
-  wip-manual-document-mt-safety-search.patch: 46fa2f9291a5ba618a719449d339d8cdf55c471e
-  wip-manual-document-mt-safety-resource.patch: 1e1e61430f3317fd1b9dc97dd2a93476c4d8aa42
-  wip-manual-document-mt-safety-string.patch: b85499751668443c0f62c4c3870c5d168d49ecaa
-  wip-manual-document-mt-safety-terminal.patch: f1eb3c581f36a70cbaba74b299638fa1c2f6a915
-  wip-manual-document-mt-safety-threads.patch: 59a4161882789129bbe1ad4f10f88c77e274cca3
-  wip-manual-document-mt-safety-time.patch: a16217056ff0a4d0283a48b0866c343275e665cc
 Hidden:
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index dc8b87f..e5aada3 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: 089fd8db0fb871c7ca2e99ac7f4311e9010432ca
-Top:    e6ad56f60a9ae3119fa08543ad49b558cff0c045
+Bottom: 7995ce65c762cc782885f999be1655c53385b187
+Top:    64ebd752fed5cf529fd9903b3078f66d5a39ae0f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index 2b678fe..8ca0d1e 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,5 +1,5 @@
-Bottom: e6ad56f60a9ae3119fa08543ad49b558cff0c045
-Top:    3ababf1041f03670a2c2776baee2ed0c43d31698
+Bottom: 64ebd752fed5cf529fd9903b3078f66d5a39ae0f
+Top:    1c6445c77783aa0c8826066576f1bea1d574a20c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:11 -0300
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index 424e584..41e8371 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,5 +1,5 @@
-Bottom: 3ababf1041f03670a2c2776baee2ed0c43d31698
-Top:    b4f7c402311f37c3b32d6f4d32dc00a60994226f
+Bottom: 1c6445c77783aa0c8826066576f1bea1d574a20c
+Top:    1ff2a8e59e8b9699588c78ee345f4d6ed95eb078
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:34 -0300
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index d13ef9a..5c7af93 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
-Bottom: b4f7c402311f37c3b32d6f4d32dc00a60994226f
-Top:    122d09db0404eacd5edf4e67b19ccd9051214e43
+Bottom: 1ff2a8e59e8b9699588c78ee345f4d6ed95eb078
+Top:    37e7ccc382017c5f5e221e651c5ece331c8757be
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:03 -0300
 
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index eaf7aca..21aaf24 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: 122d09db0404eacd5edf4e67b19ccd9051214e43
-Top:    9866bab7870219b6988dab9ba93f6d25dc2c100c
+Bottom: 37e7ccc382017c5f5e221e651c5ece331c8757be
+Top:    744f8962aaf3b4e0b439ff3bb97be69bad525f36
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:36 -0300
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index 4953c91..3b8f840 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: ec3605354c18a37252d7488b1d2137114ebe08c6
-Top:    3be4fa8a36465897a21bfea4d9c0591e6ef0fde8
+Bottom: 62741c4a3c56289629f1e10d0ec4ca2298d5cb0d
+Top:    efa976ea477ad9e56917b73191483a62a134045e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index cfdec52..2cda9f9 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: 3be4fa8a36465897a21bfea4d9c0591e6ef0fde8
-Top:    07d762fd38d600310567e328e80e1b79b68edcf4
+Bottom: efa976ea477ad9e56917b73191483a62a134045e
+Top:    194f0145ab08733f32fe10b68753b31e84e74328
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 813f3fc..73a0c1b 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: 9866bab7870219b6988dab9ba93f6d25dc2c100c
-Top:    ec3605354c18a37252d7488b1d2137114ebe08c6
+Bottom: 744f8962aaf3b4e0b439ff3bb97be69bad525f36
+Top:    62741c4a3c56289629f1e10d0ec4ca2298d5cb0d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 44cc758..26621ee 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 07d762fd38d600310567e328e80e1b79b68edcf4
-Top:    c1a698990b72ac8bdc2a28b520626b33471c00ae
+Bottom: 194f0145ab08733f32fe10b68753b31e84e74328
+Top:    e78f0a6ed4ced2836717f8bea7d382a8ba7b66dc
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 250c52b..7824650 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: c1a698990b72ac8bdc2a28b520626b33471c00ae
-Top:    5ea62d01e9347793c938b6e18e84f3dab1ca318e
+Bottom: e78f0a6ed4ced2836717f8bea7d382a8ba7b66dc
+Top:    4cbba3b6cb190622784c66924c44ac57e1c5312f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 99b3533..5aa2088 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 5ea62d01e9347793c938b6e18e84f3dab1ca318e
-Top:    16f2fe7871e24dc405b45dbd94bc718ff43c10c3
+Bottom: 4cbba3b6cb190622784c66924c44ac57e1c5312f
+Top:    b157aa1f6755cd6bd70effcad95e6cfb3c7ad9c1
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index c012844..8441128 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 16f2fe7871e24dc405b45dbd94bc718ff43c10c3
-Top:    59b9261000c6b7a639e3a84300c7502a80c42a4e
+Bottom: b157aa1f6755cd6bd70effcad95e6cfb3c7ad9c1
+Top:    20b8dc675fa6dbba870f66329160337c64509ee0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index c52c51b..f664e38 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 9984c2c6125f0eafc7653a65bbb6f102a16155f2
-Top:    f41451b18f5e7f9e3ddc0dbf945169dbd61eda46
+Bottom: e4e3f5e2330e3ac6c7eae975de280f1ba8ac3479
+Top:    4b5aea59fb7148ab8339fe9c5c2fd40de20acca5
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 6db5822..b0190ba 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 4cb7add8806fa3c3f15a04c29259e9eddc417ba6
-Top:    9984c2c6125f0eafc7653a65bbb6f102a16155f2
+Bottom: 3898f41755498b36b7cd3566b90ad4f629ada674
+Top:    e4e3f5e2330e3ac6c7eae975de280f1ba8ac3479
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 92a5437..01b8303 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 59b9261000c6b7a639e3a84300c7502a80c42a4e
-Top:    4cb7add8806fa3c3f15a04c29259e9eddc417ba6
+Bottom: 20b8dc675fa6dbba870f66329160337c64509ee0
+Top:    3898f41755498b36b7cd3566b90ad4f629ada674
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 380a2c0..16834fc 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: f41451b18f5e7f9e3ddc0dbf945169dbd61eda46
-Top:    79b6c41eb30b57d0ae06b3a08774d66214439506
+Bottom: 4b5aea59fb7148ab8339fe9c5c2fd40de20acca5
+Top:    e42edee8bf1594adf7e7cfa49e197c47dcc76264
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:24 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 02a3774..08a9893 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 79b6c41eb30b57d0ae06b3a08774d66214439506
-Top:    2efb87de244b3766a61de3499319c10a0f2b0722
+Bottom: e42edee8bf1594adf7e7cfa49e197c47dcc76264
+Top:    a97217eae5c86c40da7508a90d5a8507080e1488
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:53 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 182a5c2..dd9a78f 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 2efb87de244b3766a61de3499319c10a0f2b0722
-Top:    9a302c73b3e66c244488b83c45b0093b7c583835
+Bottom: a97217eae5c86c40da7508a90d5a8507080e1488
+Top:    17d31f44b33a4efa3757560f8fab8834bd4d2d67
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:35 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 73bc64a..e96627a 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 9a302c73b3e66c244488b83c45b0093b7c583835
-Top:    9cd1ed610c81866354975c873c2429e57421212a
+Bottom: 17d31f44b33a4efa3757560f8fab8834bd4d2d67
+Top:    ff509c08ed1dd9e766ab81dadd88d49d2c479857
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:50 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9d411555a9f7a2c4dcb353975d41c709ad030271

commit 9d411555a9f7a2c4dcb353975d41c709ad030271
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e19104d821eb2d831d8f4fbe98ecbe0cb7a58fab

commit e19104d821eb2d831d8f4fbe98ecbe0cb7a58fab
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:35 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ff0748435327d4fc62cd344c4fed5b1b7c1175c3

commit ff0748435327d4fc62cd344c4fed5b1b7c1175c3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3ceb98893b8304c17d1075fd08cc2c16925d8d26

commit 3ceb98893b8304c17d1075fd08cc2c16925d8d26
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9cb1a05651f366cb988e33e60261150697da50e9

commit 9cb1a05651f366cb988e33e60261150697da50e9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0e431a68abd2c68670bca4adad2da412e57ba322

commit 0e431a68abd2c68670bca4adad2da412e57ba322
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=06bca383d921a436fed841e86912f4c68c94bc52

commit 06bca383d921a436fed841e86912f4c68c94bc52
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=12c7558599b93d105e50a3a4d4d37b45916653dd

commit 12c7558599b93d105e50a3a4d4d37b45916653dd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=48a6b75fc25dc87bedc75d3fdfc131da890b7f4b

commit 48a6b75fc25dc87bedc75d3fdfc131da890b7f4b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..b5b6630 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat (there's a commented-out safety assessment for this one)
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c94ff62dad7a91e0eafa7bac91d3c36ccb138936

commit c94ff62dad7a91e0eafa7bac91d3c36ccb138936
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..47176cc 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=525104cbc058b86bed62e4c6ac9d61801d8aac30

commit 525104cbc058b86bed62e4c6ac9d61801d8aac30
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=06af1d5ee2d283ef4da1ec4190dd42b9bd9e5e53

commit 06af1d5ee2d283ef4da1ec4190dd42b9bd9e5e53
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b8d40c34db5a32a436bd3d93fbced3f277277bdd

commit b8d40c34db5a32a436bd3d93fbced3f277277bdd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2851febd94cec0ec11937f681c65ada586f9a223

commit 2851febd94cec0ec11937f681c65ada586f9a223
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:11 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c96f5dd7f4dc623d8e1b4d963da947d190b385a3

commit c96f5dd7f4dc623d8e1b4d963da947d190b385a3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1d9117d74990d3b2c143fd888d1435b627116a49

commit 1d9117d74990d3b2c143fd888d1435b627116a49
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=af8d731747f880cbc9dcd12a20c33ae29807081a

commit af8d731747f880cbc9dcd12a20c33ae29807081a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3511ea8a2e073e03029c05ac857b8ba78d4120f3

commit 3511ea8a2e073e03029c05ac857b8ba78d4120f3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=59b1677a250033e8588a31f175a0457967e20bce

commit 59b1677a250033e8588a31f175a0457967e20bce
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fd1ab5961b60c8bc5524617aba67528f45c035be

commit fd1ab5961b60c8bc5524617aba67528f45c035be
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:36 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=33bb3dca5b8ad25784eef98bd49ac57d641a8459

commit 33bb3dca5b8ad25784eef98bd49ac57d641a8459
Merge: 1f2b789 283e6d9 dabcbeb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:08:31 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1f2b78953becf54e98c3de46124735f4108b366c

commit 1f2b78953becf54e98c3de46124735f4108b366c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:08:31 2013 -0300

    refresh

diff --git a/meta b/meta
index dfabea6..823da90 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 733995c9ef9e9c01851a9603c4ffb530bbf7b8d3
-Head: de4f2a47af0e9ef9da1f16926fbb50aad6193642
+Previous: 283e6d9258890d6620ff2843ae0d6827e23eab48
+Head: dabcbeb1f646a611c3e18db1dbf0d317276c5fbc
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -10,8 +10,7 @@ Applied:
   manual-document-mt-safety-arith.patch: 7288eb7651261bf0ff7d26fd94d47c4a6267169f
   manual-document-mt-safety-charset.patch: d739c28d7512bc43968ecc860a2501aeb2b38862
   manual-document-mt-safety-conf.patch: 30f1f3822b1f3a1e8a69529880d4e8e924a3d35a
-  manual-document-mt-safety-crypt.patch: ae74a2f95b7ccea4362a553291e9dd5c403915e3
-  refresh-temp: de4f2a47af0e9ef9da1f16926fbb50aad6193642
+  manual-document-mt-safety-crypt.patch: dabcbeb1f646a611c3e18db1dbf0d317276c5fbc
 Unapplied:
   manual-document-mt-safety-ctype.patch: dc003e9af2abd847740effc6ffb70ad00be9756f
   manual-document-mt-safety-debug.patch: d4f225eef42541dc480740f9943bfb95af1ac6ea
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index 8198119..48df593 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,5 +1,5 @@
 Bottom: 6971015fc6a93453edf7bda609669d84f67a4037
-Top:    089fd8db0fb871c7ca2e99ac7f4311e9010432ca
+Top:    7995ce65c762cc782885f999be1655c53385b187
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:47 -0300
 
@@ -13,14 +13,13 @@ for ChangeLog
 ---
 
 diff --git a/manual/crypt.texi b/manual/crypt.texi
-index ef90590..5c9f6f7 100644
+index ef90590..a3c8fa5 100644
 --- a/manual/crypt.texi
 +++ b/manual/crypt.texi
-@@ -92,7 +92,13 @@ in a convenient way.
+@@ -92,6 +92,13 @@ in a convenient way.
  @comment unistd.h
  @comment BSD
  @deftypefun {char *} getpass (const char *@var{prompt})
--
 +@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
 +@c This function will attempt to create a stream for terminal I/O, but
 +@c will fallback to stdio/stderr.  It attempts to change the terminal
@@ -28,10 +27,10 @@ index ef90590..5c9f6f7 100644
 +@c then restore the terminal mode.  It has a cleanup to close the stream
 +@c in case of (synchronous) cancellation, but not to restore the
 +@c terminal mode.
+ 
  @code{getpass} outputs @var{prompt}, then reads a string in from the
  terminal without echoing it.  It tries to connect to the real terminal,
- @file{/dev/tty}, if possible, to encourage users not to put plaintext
-@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
+@@ -127,6 +134,13 @@ The substitute takes the same parameters as @code{getline}
  @comment crypt.h
  @comment BSD, SVID
  @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
@@ -45,7 +44,7 @@ index ef90590..5c9f6f7 100644
  
  The @code{crypt} function takes a password, @var{key}, as a string, and
  a @var{salt} character array which is described below, and returns a
-@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
+@@ -188,6 +202,9 @@ for a password and prints ``Access granted.'' if the user types
  @comment crypt.h
  @comment GNU
  @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
@@ -55,7 +54,7 @@ index ef90590..5c9f6f7 100644
  
  The @code{crypt_r} function does the same thing as @code{crypt}, but
  takes an extra parameter which includes space for its result (among
-@@ -233,6 +249,11 @@ specifies the unused bits.
+@@ -233,6 +250,11 @@ specifies the unused bits.
  @comment crypt.h
  @comment BSD, SVID
  @deftypefun void setkey (const char *@var{key})
@@ -67,7 +66,7 @@ index ef90590..5c9f6f7 100644
  
  The @code{setkey} function sets an internal data structure to be an
  expanded form of @var{key}.  @var{key} is specified as an array of 64
-@@ -244,6 +265,8 @@ parity.
+@@ -244,6 +266,8 @@ parity.
  @comment crypt.h
  @comment BSD, SVID
  @deftypefun void encrypt (char *@var{block}, int @var{edflag})
@@ -76,7 +75,7 @@ index ef90590..5c9f6f7 100644
  
  The @code{encrypt} function encrypts @var{block} if
  @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
-@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
+@@ -257,9 +281,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
  @comment crypt.h
  @comment GNU
  @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
@@ -88,7 +87,7 @@ index ef90590..5c9f6f7 100644
  
  These are reentrant versions of @code{setkey} and @code{encrypt}.  The
  only difference is the extra parameter, which stores the expanded
-@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
+@@ -274,6 +300,7 @@ defined in @file{crypt.h}.
  @comment rpc/des_crypt.h
  @comment SUNRPC
  @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
@@ -96,7 +95,7 @@ index ef90590..5c9f6f7 100644
  
  The function @code{ecb_crypt} encrypts or decrypts one or more blocks
  using DES.  Each block is encrypted independently.
-@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
+@@ -355,6 +382,7 @@ This macro returns 1 if @var{err} is a `success' result code from
  @comment rpc/des_crypt.h
  @comment SUNRPC
  @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
@@ -104,7 +103,7 @@ index ef90590..5c9f6f7 100644
  
  The function @code{cbc_crypt} encrypts or decrypts one or more blocks
  using DES in Cipher Block Chaining mode.
-@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
+@@ -381,6 +409,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
  @comment rpc/des_crypt.h
  @comment SUNRPC
  @deftypefun void des_setparity (char *@var{key})
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 7c0f2a5..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,21 +0,0 @@
-Bottom: 089fd8db0fb871c7ca2e99ac7f4311e9010432ca
-Top:    7995ce65c762cc782885f999be1655c53385b187
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 04:08:30 -0300
-
-Refresh of manual-document-mt-safety-crypt.patch
-
----
-
-diff --git a/manual/crypt.texi b/manual/crypt.texi
-index 5c9f6f7..a3c8fa5 100644
---- a/manual/crypt.texi
-+++ b/manual/crypt.texi
-@@ -99,6 +99,7 @@ in a convenient way.
- @c then restore the terminal mode.  It has a cleanup to close the stream
- @c in case of (synchronous) cancellation, but not to restore the
- @c terminal mode.
-+
- @code{getpass} outputs @var{prompt}, then reads a string in from the
- terminal without echoing it.  It tries to connect to the real terminal,
- @file{/dev/tty}, if possible, to encourage users not to put plaintext

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=283e6d9258890d6620ff2843ae0d6827e23eab48

commit 283e6d9258890d6620ff2843ae0d6827e23eab48
Merge: 8ba9385 733995c de4f2a4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:08:31 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8ba9385c931fc12c6519bb7818c66d36c381b00b

commit 8ba9385c931fc12c6519bb7818c66d36c381b00b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:08:31 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 45bee50..dfabea6 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7d7f7b862416ab02645bff41b34c060c5f278c47
-Head: ae74a2f95b7ccea4362a553291e9dd5c403915e3
+Previous: 733995c9ef9e9c01851a9603c4ffb530bbf7b8d3
+Head: de4f2a47af0e9ef9da1f16926fbb50aad6193642
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -11,6 +11,7 @@ Applied:
   manual-document-mt-safety-charset.patch: d739c28d7512bc43968ecc860a2501aeb2b38862
   manual-document-mt-safety-conf.patch: 30f1f3822b1f3a1e8a69529880d4e8e924a3d35a
   manual-document-mt-safety-crypt.patch: ae74a2f95b7ccea4362a553291e9dd5c403915e3
+  refresh-temp: de4f2a47af0e9ef9da1f16926fbb50aad6193642
 Unapplied:
   manual-document-mt-safety-ctype.patch: dc003e9af2abd847740effc6ffb70ad00be9756f
   manual-document-mt-safety-debug.patch: d4f225eef42541dc480740f9943bfb95af1ac6ea
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..7c0f2a5
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,21 @@
+Bottom: 089fd8db0fb871c7ca2e99ac7f4311e9010432ca
+Top:    7995ce65c762cc782885f999be1655c53385b187
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-16 04:08:30 -0300
+
+Refresh of manual-document-mt-safety-crypt.patch
+
+---
+
+diff --git a/manual/crypt.texi b/manual/crypt.texi
+index 5c9f6f7..a3c8fa5 100644
+--- a/manual/crypt.texi
++++ b/manual/crypt.texi
+@@ -99,6 +99,7 @@ in a convenient way.
+ @c then restore the terminal mode.  It has a cleanup to close the stream
+ @c in case of (synchronous) cancellation, but not to restore the
+ @c terminal mode.
++
+ @code{getpass} outputs @var{prompt}, then reads a string in from the
+ terminal without echoing it.  It tries to connect to the real terminal,
+ @file{/dev/tty}, if possible, to encourage users not to put plaintext

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=de4f2a47af0e9ef9da1f16926fbb50aad6193642

commit de4f2a47af0e9ef9da1f16926fbb50aad6193642
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:08:30 2013 -0300

    Refresh of manual-document-mt-safety-crypt.patch

diff --git a/manual/crypt.texi b/manual/crypt.texi
index 5c9f6f7..a3c8fa5 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -99,6 +99,7 @@ in a convenient way.
 @c then restore the terminal mode.  It has a cleanup to close the stream
 @c in case of (synchronous) cancellation, but not to restore the
 @c terminal mode.
+
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=733995c9ef9e9c01851a9603c4ffb530bbf7b8d3

commit 733995c9ef9e9c01851a9603c4ffb530bbf7b8d3
Merge: b8af925 7d7f7b8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:07:31 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b8af925c25c7acce0bbc95c11ff777023c86536e

commit b8af925c25c7acce0bbc95c11ff777023c86536e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 04:07:31 2013 -0300

    goto

diff --git a/meta b/meta
index e7e925e..45bee50 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 9cdfbb1dc7b1689a67f30412e3846e73edc64bdc
-Head: a16217056ff0a4d0283a48b0866c343275e665cc
+Previous: 7d7f7b862416ab02645bff41b34c060c5f278c47
+Head: ae74a2f95b7ccea4362a553291e9dd5c403915e3
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
@@ -11,6 +11,7 @@ Applied:
   manual-document-mt-safety-charset.patch: d739c28d7512bc43968ecc860a2501aeb2b38862
   manual-document-mt-safety-conf.patch: 30f1f3822b1f3a1e8a69529880d4e8e924a3d35a
   manual-document-mt-safety-crypt.patch: ae74a2f95b7ccea4362a553291e9dd5c403915e3
+Unapplied:
   manual-document-mt-safety-ctype.patch: dc003e9af2abd847740effc6ffb70ad00be9756f
   manual-document-mt-safety-debug.patch: d4f225eef42541dc480740f9943bfb95af1ac6ea
   manual-document-mt-safety-errno.patch: 4fad6857b15ad881c5a287349a0d13c093605336
@@ -30,5 +31,4 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: f1eb3c581f36a70cbaba74b299638fa1c2f6a915
   wip-manual-document-mt-safety-threads.patch: 59a4161882789129bbe1ad4f10f88c77e274cca3
   wip-manual-document-mt-safety-time.patch: a16217056ff0a4d0283a48b0866c343275e665cc
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7d7f7b862416ab02645bff41b34c060c5f278c47

commit 7d7f7b862416ab02645bff41b34c060c5f278c47
Merge: 227eb89 9cdfbb1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:35:20 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=227eb89514b8e4bad5f00b53f8928115a0edde9b

commit 227eb89514b8e4bad5f00b53f8928115a0edde9b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:35:20 2013 -0300

    push

diff --git a/meta b/meta
index 5139814..e7e925e 100644
--- a/meta
+++ b/meta
@@ -1,11 +1,10 @@
 Version: 1
-Previous: c339b003f5eb745be1c1d731544530e3570f9c14
-Head: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
+Previous: 9cdfbb1dc7b1689a67f30412e3846e73edc64bdc
+Head: a16217056ff0a4d0283a48b0866c343275e665cc
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
   remove-sysdeps-ieee754-support.patch: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
-Unapplied:
   manual-document-mt-safety.patch: a55b2aa9900f7f2d98793bb44e882e32b000150b
   manual-document-mt-safety-argp.patch: f8001a47dc69f4ca878ae0b18dde1eab6f47ca23
   manual-document-mt-safety-arith.patch: 7288eb7651261bf0ff7d26fd94d47c4a6267169f
@@ -31,4 +30,5 @@ Unapplied:
   wip-manual-document-mt-safety-terminal.patch: f1eb3c581f36a70cbaba74b299638fa1c2f6a915
   wip-manual-document-mt-safety-threads.patch: 59a4161882789129bbe1ad4f10f88c77e274cca3
   wip-manual-document-mt-safety-time.patch: a16217056ff0a4d0283a48b0866c343275e665cc
+Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9cdfbb1dc7b1689a67f30412e3846e73edc64bdc

commit 9cdfbb1dc7b1689a67f30412e3846e73edc64bdc
Merge: e9f3c44 c339b00
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:27 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e9f3c444f69d760796c74b00a10a3917753653e5

commit e9f3c444f69d760796c74b00a10a3917753653e5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:27 2013 -0300

    push

diff --git a/meta b/meta
index 0f3e99f..5139814 100644
--- a/meta
+++ b/meta
@@ -1,11 +1,11 @@
 Version: 1
-Previous: 95fcade3632a1478e1c6c603c486f62936a1c337
-Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
+Previous: c339b003f5eb745be1c1d731544530e3570f9c14
+Head: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
 Applied:
-Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
   remove-sysdeps-ieee754-support.patch: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
+Unapplied:
   manual-document-mt-safety.patch: a55b2aa9900f7f2d98793bb44e882e32b000150b
   manual-document-mt-safety-argp.patch: f8001a47dc69f4ca878ae0b18dde1eab6f47ca23
   manual-document-mt-safety-arith.patch: 7288eb7651261bf0ff7d26fd94d47c4a6267169f

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c339b003f5eb745be1c1d731544530e3570f9c14

commit c339b003f5eb745be1c1d731544530e3570f9c14
Merge: 1dfd923 ca0a6bc 95fcade
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:25 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1dfd923d83a32c5dbb4e0a34196bf5abb5806cb9

commit 1dfd923d83a32c5dbb4e0a34196bf5abb5806cb9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:25 2013 -0300

    pop

diff --git a/meta b/meta
index 20ca613..0f3e99f 100644
--- a/meta
+++ b/meta
@@ -1,7 +1,8 @@
 Version: 1
-Previous: eedf24efbcebfb452c91b90e339079e6810b195f
-Head: a16217056ff0a4d0283a48b0866c343275e665cc
+Previous: 95fcade3632a1478e1c6c603c486f62936a1c337
+Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
 Applied:
+Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
   remove-sysdeps-ieee754-support.patch: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
@@ -30,5 +31,4 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: f1eb3c581f36a70cbaba74b299638fa1c2f6a915
   wip-manual-document-mt-safety-threads.patch: 59a4161882789129bbe1ad4f10f88c77e274cca3
   wip-manual-document-mt-safety-time.patch: a16217056ff0a4d0283a48b0866c343275e665cc
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=95fcade3632a1478e1c6c603c486f62936a1c337

commit 95fcade3632a1478e1c6c603c486f62936a1c337
Merge: dd0a1e7 a162170 eedf24e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:25 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dd0a1e7058473fc6064afbc93cf7c3119c740d3e

commit dd0a1e7058473fc6064afbc93cf7c3119c740d3e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:25 2013 -0300

    push

diff --git a/meta b/meta
index 8920391..20ca613 100644
--- a/meta
+++ b/meta
@@ -1,34 +1,34 @@
 Version: 1
-Previous: 479c336b75a91c9742290b344b093951c4afc234
-Head: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
+Previous: eedf24efbcebfb452c91b90e339079e6810b195f
+Head: a16217056ff0a4d0283a48b0866c343275e665cc
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
   remove-sysdeps-ieee754-support.patch: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
+  manual-document-mt-safety.patch: a55b2aa9900f7f2d98793bb44e882e32b000150b
+  manual-document-mt-safety-argp.patch: f8001a47dc69f4ca878ae0b18dde1eab6f47ca23
+  manual-document-mt-safety-arith.patch: 7288eb7651261bf0ff7d26fd94d47c4a6267169f
+  manual-document-mt-safety-charset.patch: d739c28d7512bc43968ecc860a2501aeb2b38862
+  manual-document-mt-safety-conf.patch: 30f1f3822b1f3a1e8a69529880d4e8e924a3d35a
+  manual-document-mt-safety-crypt.patch: ae74a2f95b7ccea4362a553291e9dd5c403915e3
+  manual-document-mt-safety-ctype.patch: dc003e9af2abd847740effc6ffb70ad00be9756f
+  manual-document-mt-safety-debug.patch: d4f225eef42541dc480740f9943bfb95af1ac6ea
+  manual-document-mt-safety-errno.patch: 4fad6857b15ad881c5a287349a0d13c093605336
+  manual-document-mt-safety-filesys.patch: f77283b4b552daf9def0c190fccc5f5c4387068c
+  manual-document-mt-safety-getopt.patch: e6721bc24292e81decca229364fe5d9c3c6ea71d
+  manual-document-mt-safety-libdl.patch: 39277bc7d9f8f88e3250ebf2bab380fd90c64d1d
+  manual-document-mt-safety-job.patch: 206f4e754558d0c111d9b727285bf9d6c4b86598
+  manual-document-mt-safety-lang.patch: 443d8e06a844671359ebf35dba1211a3178ee4ad
+  manual-document-mt-safety-llio.patch: 40291dd9759713efc7236398de48112816f0f3d6
+  manual-document-mt-safety-stdio.patch: e3c55c602e828c608f1f6230e75ecbb2416caf16
+  wip-manual-document-mt-safety-locale.patch: 7ee91213d3fc5f11dd4cc39b0abcc7e4c2e4dd23
+  wip-manual-document-mt-safety-math.patch: 22e6f0a3bcaca29f27609644baf5fea9a4175248
+  wip-manual-document-mt-safety-startup.patch: 2041cdf01d0056eaf965a1eb716d32880a7d63fe
+  wip-manual-document-mt-safety-search.patch: 46fa2f9291a5ba618a719449d339d8cdf55c471e
+  wip-manual-document-mt-safety-resource.patch: 1e1e61430f3317fd1b9dc97dd2a93476c4d8aa42
+  wip-manual-document-mt-safety-string.patch: b85499751668443c0f62c4c3870c5d168d49ecaa
+  wip-manual-document-mt-safety-terminal.patch: f1eb3c581f36a70cbaba74b299638fa1c2f6a915
+  wip-manual-document-mt-safety-threads.patch: 59a4161882789129bbe1ad4f10f88c77e274cca3
+  wip-manual-document-mt-safety-time.patch: a16217056ff0a4d0283a48b0866c343275e665cc
 Unapplied:
-  manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
-  manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785
-  manual-document-mt-safety-arith.patch: f44135c2502e59169f999d4373ae92b799a3243f
-  manual-document-mt-safety-charset.patch: c4b388232d899078a1b6d6a59f8c81d91b48f0a1
-  manual-document-mt-safety-conf.patch: b5d8ce5c1458b5e838a2863d4ba4baa86c823b28
-  manual-document-mt-safety-crypt.patch: 72ef57b840cd42f1110c069ef69c5000ef9c88b7
-  manual-document-mt-safety-ctype.patch: f60b1d81ad9cb9c6c27a099d76bdc6abcaf790a2
-  manual-document-mt-safety-debug.patch: 68a39285b6322ffa0bc420d57ec68b14f732c4e3
-  manual-document-mt-safety-errno.patch: da9e9ee60c99d6dc0316d8546541e6dd9c0c9b99
-  manual-document-mt-safety-filesys.patch: d0691d184b91c2e2c5698ea76d17dd9f3a122f8f
-  manual-document-mt-safety-getopt.patch: 4a5d90dda6e00313cc5ba8ce421efaa9cb59081b
-  manual-document-mt-safety-libdl.patch: 307bd3daee46ac59346ae246cca438c773592157
-  manual-document-mt-safety-job.patch: 056831666a434aed7f142ee31ad9ca0d6ba2d3bc
-  manual-document-mt-safety-lang.patch: 63d1c42e6da89b0ad4d95cf9389cd10979efbe86
-  manual-document-mt-safety-llio.patch: 949a5e85be3e463201abb3eca47b28d136e6a748
-  manual-document-mt-safety-stdio.patch: fd97e2760a742412d0efb962445d45e5f6c31d25
-  wip-manual-document-mt-safety-locale.patch: 62c5d0311f8340f9adfd4020aaf20fc59b3bf99d
-  wip-manual-document-mt-safety-math.patch: 3c144b261343ed149aabebaf1644836f8cc743e5
-  wip-manual-document-mt-safety-startup.patch: 6300794e9ab2baa967f9a1778dbf68ab1dd6bded
-  wip-manual-document-mt-safety-search.patch: 41d5ae9e5dfbfe26fd2cd56fa6ca85642a89cccc
-  wip-manual-document-mt-safety-resource.patch: 1daf7c7b5916ddc5c68ab1eeb07c507dd20a6c24
-  wip-manual-document-mt-safety-string.patch: 733b88651a82568a50710faeb8984d6b4c9ed92e
-  wip-manual-document-mt-safety-terminal.patch: 88d6db1efac30fda4ced56f1f651174b35cf5214
-  wip-manual-document-mt-safety-threads.patch: a876db182b7283130d6189eb55ea401d35053850
-  wip-manual-document-mt-safety-time.patch: f24766f16a7fc05837ee864671592bdd230d4631
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 8284a1e..fcb91bc 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,5 +1,5 @@
-Bottom: 34670202bf46f8c2807d998163a3ae485669f59e
-Top:    6f7a5e6749ad296a05be499432131dbe19bb6f95
+Bottom: dd5f61ec57d719c37843c4e02281f6e13e85e1e6
+Top:    7330788415ea874753e04d105c9610b828888f8d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 21:57:08 -0300
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 5e36901..24f961d 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
-Bottom: 6f7a5e6749ad296a05be499432131dbe19bb6f95
-Top:    defee7a3afc291649a03a852fe89e085e809b1cc
+Bottom: 7330788415ea874753e04d105c9610b828888f8d
+Top:    938a0224455b9ed4d30c77898cfcda3e7658d101
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index 9bbb051..b81a770 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,5 +1,5 @@
-Bottom: defee7a3afc291649a03a852fe89e085e809b1cc
-Top:    f0f71d6f601b734abdc7ed68eab96e38b0b2a122
+Bottom: 938a0224455b9ed4d30c77898cfcda3e7658d101
+Top:    11af94a52cfc833e6b706d5bb2641d219dd8e9b1
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:01:33 -0300
 
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index 79c3d28..17f1a35 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,5 +1,5 @@
-Bottom: f0f71d6f601b734abdc7ed68eab96e38b0b2a122
-Top:    db47a43bafc8d1f8d787b9cfb531d1bc04a01bcc
+Bottom: 11af94a52cfc833e6b706d5bb2641d219dd8e9b1
+Top:    6971015fc6a93453edf7bda609669d84f67a4037
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:16 -0300
 
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index 57d5762..8198119 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,5 +1,5 @@
-Bottom: db47a43bafc8d1f8d787b9cfb531d1bc04a01bcc
-Top:    989582e2a61eac80aee357a0b3391b88bdf700b8
+Bottom: 6971015fc6a93453edf7bda609669d84f67a4037
+Top:    089fd8db0fb871c7ca2e99ac7f4311e9010432ca
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:47 -0300
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index 9b2ecd0..dc8b87f 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: 989582e2a61eac80aee357a0b3391b88bdf700b8
-Top:    e5a870898375d0f16d290f0ce49ace14c8d4a2d7
+Bottom: 089fd8db0fb871c7ca2e99ac7f4311e9010432ca
+Top:    e6ad56f60a9ae3119fa08543ad49b558cff0c045
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index d851526..2b678fe 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,5 +1,5 @@
-Bottom: e5a870898375d0f16d290f0ce49ace14c8d4a2d7
-Top:    18067421e6a29e6bd67a95dca76d8007f8b3208f
+Bottom: e6ad56f60a9ae3119fa08543ad49b558cff0c045
+Top:    3ababf1041f03670a2c2776baee2ed0c43d31698
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:11 -0300
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index ea8bf28..424e584 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,5 +1,5 @@
-Bottom: 18067421e6a29e6bd67a95dca76d8007f8b3208f
-Top:    69d0870850cf838c0374659f9cbf240c906205b8
+Bottom: 3ababf1041f03670a2c2776baee2ed0c43d31698
+Top:    b4f7c402311f37c3b32d6f4d32dc00a60994226f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:34 -0300
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 3b063f6..d13ef9a 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
-Bottom: 69d0870850cf838c0374659f9cbf240c906205b8
-Top:    eae3c43e01e0c942f9a5097a40719ef9a00c9572
+Bottom: b4f7c402311f37c3b32d6f4d32dc00a60994226f
+Top:    122d09db0404eacd5edf4e67b19ccd9051214e43
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:03 -0300
 
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index 2514497..eaf7aca 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: eae3c43e01e0c942f9a5097a40719ef9a00c9572
-Top:    ca3bfae7ef20886b7aa0e19b97b7e989545ca988
+Bottom: 122d09db0404eacd5edf4e67b19ccd9051214e43
+Top:    9866bab7870219b6988dab9ba93f6d25dc2c100c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:36 -0300
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index dd7e72e..4953c91 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: 238024f7204c47a5f57650bf1249139600a50037
-Top:    0bac2dafb8007c7423049255cfe9f32d92341729
+Bottom: ec3605354c18a37252d7488b1d2137114ebe08c6
+Top:    3be4fa8a36465897a21bfea4d9c0591e6ef0fde8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 6be420f..cfdec52 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: 0bac2dafb8007c7423049255cfe9f32d92341729
-Top:    193841de621025d5ba0a8d8a93cd15e52ed049b0
+Bottom: 3be4fa8a36465897a21bfea4d9c0591e6ef0fde8
+Top:    07d762fd38d600310567e328e80e1b79b68edcf4
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index de6923e..813f3fc 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: ca3bfae7ef20886b7aa0e19b97b7e989545ca988
-Top:    238024f7204c47a5f57650bf1249139600a50037
+Bottom: 9866bab7870219b6988dab9ba93f6d25dc2c100c
+Top:    ec3605354c18a37252d7488b1d2137114ebe08c6
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index e39088d..44cc758 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 193841de621025d5ba0a8d8a93cd15e52ed049b0
-Top:    54dc9cb53a865ae026f28501a469078a5ca48df9
+Bottom: 07d762fd38d600310567e328e80e1b79b68edcf4
+Top:    c1a698990b72ac8bdc2a28b520626b33471c00ae
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index c79c8a0..250c52b 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 54dc9cb53a865ae026f28501a469078a5ca48df9
-Top:    f2df3f2410eb8c7978798b2bd791b2fdc45b156d
+Bottom: c1a698990b72ac8bdc2a28b520626b33471c00ae
+Top:    5ea62d01e9347793c938b6e18e84f3dab1ca318e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index c25fc87..a573ff4 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,5 +1,5 @@
-Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
-Top:    ec44285035bdee25fdfdd25c2385cb08deeced27
+Bottom: 50e2fbc0bfe0ec92d66e09e6b0891dfd6c8d53b7
+Top:    dd5f61ec57d719c37843c4e02281f6e13e85e1e6
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 3a5b6c8..99b3533 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: f2df3f2410eb8c7978798b2bd791b2fdc45b156d
-Top:    34ba4b413ec2770c09b9d2be65d6f179dc931409
+Bottom: 5ea62d01e9347793c938b6e18e84f3dab1ca318e
+Top:    16f2fe7871e24dc405b45dbd94bc718ff43c10c3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 6160c0a..c012844 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 34ba4b413ec2770c09b9d2be65d6f179dc931409
-Top:    f23d47c6bfcfa87ae920dd9dcae29c054fdf1287
+Bottom: 16f2fe7871e24dc405b45dbd94bc718ff43c10c3
+Top:    59b9261000c6b7a639e3a84300c7502a80c42a4e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 33adf81..c52c51b 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 8bccd91fa434fbc218a608426cc927d18c5a4741
-Top:    fe51f29d9106a6912de339229dec19e904bbc8e2
+Bottom: 9984c2c6125f0eafc7653a65bbb6f102a16155f2
+Top:    f41451b18f5e7f9e3ddc0dbf945169dbd61eda46
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 2711dca..6db5822 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 4537e5e668ab95e605ff113bad5fec616212481b
-Top:    8bccd91fa434fbc218a608426cc927d18c5a4741
+Bottom: 4cb7add8806fa3c3f15a04c29259e9eddc417ba6
+Top:    9984c2c6125f0eafc7653a65bbb6f102a16155f2
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index d8463d0..92a5437 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: f23d47c6bfcfa87ae920dd9dcae29c054fdf1287
-Top:    4537e5e668ab95e605ff113bad5fec616212481b
+Bottom: 59b9261000c6b7a639e3a84300c7502a80c42a4e
+Top:    4cb7add8806fa3c3f15a04c29259e9eddc417ba6
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 2a09c97..380a2c0 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: fe51f29d9106a6912de339229dec19e904bbc8e2
-Top:    84c9ce418c9f8b475576cd17329f2eba0eb54cfb
+Bottom: f41451b18f5e7f9e3ddc0dbf945169dbd61eda46
+Top:    79b6c41eb30b57d0ae06b3a08774d66214439506
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:24 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 40452fa..02a3774 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 84c9ce418c9f8b475576cd17329f2eba0eb54cfb
-Top:    39f47ac852160ce679bd115e2adad12da35bb14f
+Bottom: 79b6c41eb30b57d0ae06b3a08774d66214439506
+Top:    2efb87de244b3766a61de3499319c10a0f2b0722
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:53 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index aee55ed..182a5c2 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 39f47ac852160ce679bd115e2adad12da35bb14f
-Top:    161db65f6a283f93d796b6d782c90ce82ff5586e
+Bottom: 2efb87de244b3766a61de3499319c10a0f2b0722
+Top:    9a302c73b3e66c244488b83c45b0093b7c583835
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:35 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index 1da1731..73bc64a 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 161db65f6a283f93d796b6d782c90ce82ff5586e
-Top:    b84a5f688770814e8732185c0f64b14903b5b29a
+Bottom: 9a302c73b3e66c244488b83c45b0093b7c583835
+Top:    9cd1ed610c81866354975c873c2429e57421212a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:50 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a16217056ff0a4d0283a48b0866c343275e665cc

commit a16217056ff0a4d0283a48b0866c343275e665cc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=59a4161882789129bbe1ad4f10f88c77e274cca3

commit 59a4161882789129bbe1ad4f10f88c77e274cca3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:35 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f1eb3c581f36a70cbaba74b299638fa1c2f6a915

commit f1eb3c581f36a70cbaba74b299638fa1c2f6a915
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b85499751668443c0f62c4c3870c5d168d49ecaa

commit b85499751668443c0f62c4c3870c5d168d49ecaa
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1e1e61430f3317fd1b9dc97dd2a93476c4d8aa42

commit 1e1e61430f3317fd1b9dc97dd2a93476c4d8aa42
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=46fa2f9291a5ba618a719449d339d8cdf55c471e

commit 46fa2f9291a5ba618a719449d339d8cdf55c471e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2041cdf01d0056eaf965a1eb716d32880a7d63fe

commit 2041cdf01d0056eaf965a1eb716d32880a7d63fe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=22e6f0a3bcaca29f27609644baf5fea9a4175248

commit 22e6f0a3bcaca29f27609644baf5fea9a4175248
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7ee91213d3fc5f11dd4cc39b0abcc7e4c2e4dd23

commit 7ee91213d3fc5f11dd4cc39b0abcc7e4c2e4dd23
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e3c55c602e828c608f1f6230e75ecbb2416caf16

commit e3c55c602e828c608f1f6230e75ecbb2416caf16
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=40291dd9759713efc7236398de48112816f0f3d6

commit 40291dd9759713efc7236398de48112816f0f3d6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=443d8e06a844671359ebf35dba1211a3178ee4ad

commit 443d8e06a844671359ebf35dba1211a3178ee4ad
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=206f4e754558d0c111d9b727285bf9d6c4b86598

commit 206f4e754558d0c111d9b727285bf9d6c4b86598
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=39277bc7d9f8f88e3250ebf2bab380fd90c64d1d

commit 39277bc7d9f8f88e3250ebf2bab380fd90c64d1d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e6721bc24292e81decca229364fe5d9c3c6ea71d

commit e6721bc24292e81decca229364fe5d9c3c6ea71d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:36 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f77283b4b552daf9def0c190fccc5f5c4387068c

commit f77283b4b552daf9def0c190fccc5f5c4387068c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..47176cc 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4fad6857b15ad881c5a287349a0d13c093605336

commit 4fad6857b15ad881c5a287349a0d13c093605336
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d4f225eef42541dc480740f9943bfb95af1ac6ea

commit d4f225eef42541dc480740f9943bfb95af1ac6ea
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:11 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dabcbeb1f646a611c3e18db1dbf0d317276c5fbc

commit dabcbeb1f646a611c3e18db1dbf0d317276c5fbc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..a3c8fa5 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,6 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
@@ -127,6 +134,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +202,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +250,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +266,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +281,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +300,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +382,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +409,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ae74a2f95b7ccea4362a553291e9dd5c403915e3

commit ae74a2f95b7ccea4362a553291e9dd5c403915e3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dc003e9af2abd847740effc6ffb70ad00be9756f

commit dc003e9af2abd847740effc6ffb70ad00be9756f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=30f1f3822b1f3a1e8a69529880d4e8e924a3d35a

commit 30f1f3822b1f3a1e8a69529880d4e8e924a3d35a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:16 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d739c28d7512bc43968ecc860a2501aeb2b38862

commit d739c28d7512bc43968ecc860a2501aeb2b38862
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7288eb7651261bf0ff7d26fd94d47c4a6267169f

commit 7288eb7651261bf0ff7d26fd94d47c4a6267169f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..c0cd350 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f8001a47dc69f4ca878ae0b18dde1eab6f47ca23

commit f8001a47dc69f4ca878ae0b18dde1eab6f47ca23
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..22e7b9e 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a55b2aa9900f7f2d98793bb44e882e32b000150b

commit a55b2aa9900f7f2d98793bb44e882e32b000150b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..d183e12 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,412 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards that could guarantee consistency.  To
+ensure MT- and AS-Safe behavior, callers must ensure that the objects
+passed in are not modified concurrently by other threads or signal
+handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+properties we documented are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=eedf24efbcebfb452c91b90e339079e6810b195f

commit eedf24efbcebfb452c91b90e339079e6810b195f
Merge: 72dfcd1 479c336
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:12 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=72dfcd1ff5e40b6acf8464423c0e772ccb010b6f

commit 72dfcd1ff5e40b6acf8464423c0e772ccb010b6f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:12 2013 -0300

    rename

diff --git a/meta b/meta
index 70f3825..8920391 100644
--- a/meta
+++ b/meta
@@ -1,10 +1,10 @@
 Version: 1
-Previous: 872dfa5c522f125ea0ae7678c4cd9af17b527c2a
+Previous: 479c336b75a91c9742290b344b093951c4afc234
 Head: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
-  remove-ieee754-support.patch: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
+  remove-sysdeps-ieee754-support.patch: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
 Unapplied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
   manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785
diff --git a/patches/remove-ieee754-support.patch b/patches/remove-sysdeps-ieee754-support.patch
similarity index 100%
rename from patches/remove-ieee754-support.patch
rename to patches/remove-sysdeps-ieee754-support.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=479c336b75a91c9742290b344b093951c4afc234

commit 479c336b75a91c9742290b344b093951c4afc234
Merge: 04b90f6 872dfa5 a25c519
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:02 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=04b90f6c81d9a83ba44f6e4b2f1dc69e6b1c4111

commit 04b90f6c81d9a83ba44f6e4b2f1dc69e6b1c4111
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:34:02 2013 -0300

    float

diff --git a/meta b/meta
index 635f98d..70f3825 100644
--- a/meta
+++ b/meta
@@ -1,9 +1,10 @@
 Version: 1
-Previous: c415bd7267d6aa4084922144b7ec8fba624935d3
-Head: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
+Previous: 872dfa5c522f125ea0ae7678c4cd9af17b527c2a
+Head: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
   unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
+  remove-ieee754-support.patch: a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
 Unapplied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
   manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785
@@ -30,5 +31,4 @@ Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 88d6db1efac30fda4ced56f1f651174b35cf5214
   wip-manual-document-mt-safety-threads.patch: a876db182b7283130d6189eb55ea401d35053850
   wip-manual-document-mt-safety-time.patch: f24766f16a7fc05837ee864671592bdd230d4631
-  remove-ieee754-support.patch: 29601892fc048942d31e8e0d1768365ced9a95de
 Hidden:
diff --git a/patches/remove-ieee754-support.patch b/patches/remove-ieee754-support.patch
index 1b82d3a..69f8047 100644
--- a/patches/remove-ieee754-support.patch
+++ b/patches/remove-ieee754-support.patch
@@ -1,5 +1,5 @@
-Bottom: b84a5f688770814e8732185c0f64b14903b5b29a
-Top:    9cd1ed610c81866354975c873c2429e57421212a
+Bottom: 0cde62ba14858955eaea55ab1c1dff0f01f3a01a
+Top:    50e2fbc0bfe0ec92d66e09e6b0891dfd6c8d53b7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-16 00:32:53 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a25c51911f256292d5cc15cc5dbb8f7f2726c9e6

commit a25c51911f256292d5cc15cc5dbb8f7f2726c9e6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:32:53 2013 -0300

    Remove unused sysdeps/ieee754/support.c.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c: Remove.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
deleted file mode 100644
index 0bbd892..0000000
--- a/sysdeps/ieee754/support.c
+++ /dev/null
@@ -1,520 +0,0 @@
-/*
- * Copyright (c) 1985, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
-#endif /* not lint */
-
-/*
- * Some IEEE standard 754 recommended functions and remainder and sqrt for
- * supporting the C elementary functions.
- ******************************************************************************
- * WARNING:
- *      These codes are developed (in double) to support the C elementary
- * functions temporarily. They are not universal, and some of them are very
- * slow (in particular, drem and sqrt is extremely inefficient). Each
- * computer system should have its implementation of these functions using
- * its own assembler.
- ******************************************************************************
- *
- * IEEE 754 required operations:
- *     drem(x,p)
- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
- *              nearest x/y; in half way case, choose the even one.
- *     sqrt(x)
- *              returns the square root of x correctly rounded according to
- *		the rounding mod.
- *
- * IEEE 754 recommended functions:
- * (a) copysign(x,y)
- *              returns x with the sign of y.
- * (b) scalb(x,N)
- *              returns  x * (2**N), for integer values N.
- * (c) logb(x)
- *              returns the unbiased exponent of x, a signed integer in
- *              double precision, except that logb(0) is -INF, logb(INF)
- *              is +INF, and logb(NAN) is that NAN.
- * (d) finite(x)
- *              returns the value TRUE if -INF < x < +INF and returns
- *              FALSE otherwise.
- *
- *
- * CODED IN C BY K.C. NG, 11/25/84;
- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
- */
-
-#include "mathimpl.h"
-
-#if defined(vax)||defined(tahoe)      /* VAX D format */
-#include <errno.h>
-    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
-    static const short  prep1=57, gap=7, bias=129           ;
-    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
-#else	/* defined(vax)||defined(tahoe) */
-    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
-    static const short prep1=54, gap=4, bias=1023           ;
-    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
-#endif	/* defined(vax)||defined(tahoe) */
-
-double scalbn(x,N)
-double x; int N;
-{
-        int k;
-
-#ifdef national
-        unsigned short *px=(unsigned short *) &x + 3;
-#else	/* national */
-        unsigned short *px=(unsigned short *) &x;
-#endif	/* national */
-
-        if( x == zero )  return(x);
-
-#if defined(vax)||defined(tahoe)
-        if( (k= *px & mexp ) != ~msign ) {
-            if (N < -260)
-		return(nunf*nunf);
-	    else if (N > 260) {
-		return(copysign(infnan(ERANGE),x));
-	    }
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp ) {
-            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
-            if( k == 0 ) {
-                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
-#endif	/* defined(vax)||defined(tahoe) */
-
-            if((k = (k>>gap)+ N) > 0 )
-                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
-                else x=novf+novf;               /* overflow */
-            else
-                if( k > -prep1 )
-                                        /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
-                else
-                return(nunf*nunf);
-            }
-        return(x);
-}
-
-
-double copysign(x,y)
-double x,y;
-{
-#ifdef national
-        unsigned short  *px=(unsigned short *) &x+3,
-                        *py=(unsigned short *) &y+3;
-#else	/* national */
-        unsigned short  *px=(unsigned short *) &x,
-                        *py=(unsigned short *) &y;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        if ( (*px & mexp) == 0 ) return(x);
-#endif	/* defined(vax)||defined(tahoe) */
-
-        *px = ( *px & msign ) | ( *py & ~msign );
-        return(x);
-}
-
-double logb(x)
-double x;
-{
-
-#ifdef national
-        short *px=(short *) &x+3, k;
-#else	/* national */
-        short *px=(short *) &x, k;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        return (int)(((*px&mexp)>>gap)-bias);
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp )
-            if ( k != 0 )
-                return ( (k>>gap) - bias );
-            else if( x != zero)
-                return ( -1022.0 );
-            else
-                return(-(1.0/zero));
-        else if(x != x)
-            return(x);
-        else
-            {*px &= msign; return(x);}
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-finite(x)
-double x;
-{
-#if defined(vax)||defined(tahoe)
-        return(1);
-#else	/* defined(vax)||defined(tahoe) */
-#ifdef national
-        return( (*((short *) &x+3 ) & mexp ) != mexp );
-#else	/* national */
-        return( (*((short *) &x ) & mexp ) != mexp );
-#endif	/* national */
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-double drem(x,p)
-double x,p;
-{
-        short sign;
-        double hp,dp,tmp;
-        unsigned short  k;
-#ifdef national
-        unsigned short
-              *px=(unsigned short *) &x  +3,
-              *pp=(unsigned short *) &p  +3,
-              *pd=(unsigned short *) &dp +3,
-              *pt=(unsigned short *) &tmp+3;
-#else	/* national */
-        unsigned short
-              *px=(unsigned short *) &x  ,
-              *pp=(unsigned short *) &p  ,
-              *pd=(unsigned short *) &dp ,
-              *pt=(unsigned short *) &tmp;
-#endif	/* national */
-
-        *pp &= msign ;
-
-#if defined(vax)||defined(tahoe)
-        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *px & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		return  (x-p)-(x-p);	/* create nan if x is inf */
-	if (p == zero) {
-#if defined(vax)||defined(tahoe)
-		return(infnan(EDOM));
-#else	/* defined(vax)||defined(tahoe) */
-		return zero/zero;
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-#if defined(vax)||defined(tahoe)
-        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *pp & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		{ if (p != p) return p; else return x;}
-
-        else  if ( ((*pp & mexp)>>gap) <= 1 )
-                /* subnormal p, or almost subnormal p */
-            { double b; b=scalbn(1.0,(int)prep1);
-              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
-        else  if ( p >= novf/2)
-            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
-        else
-            {
-                dp=p+p; hp=p/2;
-                sign= *px & ~msign ;
-                *px &= msign       ;
-                while ( x > dp )
-                    {
-                        k=(*px & mexp) - (*pd & mexp) ;
-                        tmp = dp ;
-                        *pt += k ;
-
-#if defined(vax)||defined(tahoe)
-                        if( x < tmp ) *pt -= 128 ;
-#else	/* defined(vax)||defined(tahoe) */
-                        if( x < tmp ) *pt -= 16 ;
-#endif	/* defined(vax)||defined(tahoe) */
-
-                        x -= tmp ;
-                    }
-                if ( x > hp )
-                    { x -= p ;  if ( x >= hp ) x -= p ; }
-
-#if defined(vax)||defined(tahoe)
-		if (x)
-#endif	/* defined(vax)||defined(tahoe) */
-			*px ^= sign;
-                return( x);
-
-            }
-}
-
-
-double sqrt(x)
-double x;
-{
-        double q,s,b,r;
-        double t;
-	double const zero=0.0;
-        int m,n,i;
-#if defined(vax)||defined(tahoe)
-        int k=54;
-#else	/* defined(vax)||defined(tahoe) */
-        int k=51;
-#endif	/* defined(vax)||defined(tahoe) */
-
-    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-        if(x!=x||x==zero) return(x);
-
-    /* sqrt(negative) is invalid */
-        if(x<zero) {
-#if defined(vax)||defined(tahoe)
-		return (infnan(EDOM));	/* NaN */
-#else	/* defined(vax)||defined(tahoe) */
-		return(zero/zero);
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-    /* sqrt(INF) is INF */
-        if(!finite(x)) return(x);
-
-    /* scale x to [1,4) */
-        n=logb(x);
-        x=scalbn(x,-n);
-        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
-        m += n;
-        n = m/2;
-        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
-
-    /* generate sqrt(x) bit by bit (accumulating in q) */
-            q=1.0; s=4.0; x -= 1.0; r=1;
-            for(i=1;i<=k;i++) {
-                t=s+1; x *= 4; r /= 2;
-                if(t<=x) {
-                    s=t+t+2, x -= t; q += r;}
-                else
-                    s *= 2;
-                }
-
-    /* generate the last bit and determine the final rounding */
-            r/=2; x *= 4;
-            if(x==zero) goto end; 100+r; /* trigger inexact flag */
-            if(s<x) {
-                q+=r; x -=s; s += 2; s *= 2; x *= 4;
-                t = (x-s)-5;
-                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
-                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
-                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
-            else {
-                s *= 2; x *= 4;
-                t = (x-s)-1;
-                b=1.0+3*r/4; if(b==1.0) goto end;
-                b=1.0+r/4;   if(b>1.0) t=1;
-                if(t>=0) q+=r; }
-
-end:        return(scalbn(q,n));
-}
-
-#if 0
-/* DREM(X,Y)
- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
- * INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions (not on a VAX):
- *     swapINX(i): save inexact flag and reset it to "i"
- *     swapENI(e): save inexact enable and reset it to "e"
- */
-
-double drem(x,y)
-double x,y;
-{
-
-#ifdef national		/* order of words in floating point number */
-	static const n0=3,n1=2,n2=1,n3=0;
-#else /* VAX, SUN, ZILOG, TAHOE */
-	static const n0=0,n1=1,n2=2,n3=3;
-#endif
-
-	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
-	static const double zero=0.0;
-	double hy,y1,t,t1;
-	short k;
-	long n;
-	int i,e;
-	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
-			nx,nf,	  *py  =(unsigned short *) &y  ,
-			sign,	  *pt  =(unsigned short *) &t  ,
-				  *pt1 =(unsigned short *) &t1 ;
-
-	xexp = px[n0] & mexp ;	/* exponent of x */
-	yexp = py[n0] & mexp ;	/* exponent of y */
-	sign = px[n0] &0x8000;	/* sign of x     */
-
-/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
-	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
-	if( xexp == mexp )   return(zero/zero);      /* x is INF */
-	if(y==zero) return(y/y);
-
-/* save the inexact flag and inexact enable in i and e respectively
- * and reset them to zero
- */
-	i=swapINX(0);	e=swapENI(0);
-
-/* subnormal number */
-	nx=0;
-	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
-
-/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
-	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
-
-	nf=nx;
-	py[n0] &= 0x7fff;
-	px[n0] &= 0x7fff;
-
-/* mask off the least significant 27 bits of y */
-	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
-
-/* LOOP: argument reduction on x whenever x > y */
-loop:
-	while ( x > y )
-	{
-	    t=y;
-	    t1=y1;
-	    xexp=px[n0]&mexp;	  /* exponent of x */
-	    k=xexp-yexp-m25;
-	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
-		{pt[n0]+=k;pt1[n0]+=k;}
-	    n=x/t; x=(x-n*t1)-n*(t-t1);
-	}
-    /* end while (x > y) */
-
-	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
-
-/* final adjustment */
-
-	hy=y/2.0;
-	if(x>hy||((x==hy)&&n%2==1)) x-=y;
-	px[n0] ^= sign;
-	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
-
-/* restore inexact flag and inexact enable */
-	swapINX(i); swapENI(e);
-
-	return(x);
-}
-#endif
-
-#if 0
-/* SQRT
- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/22/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions:
- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
- */
-
-static const unsigned long table[] = {
-0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
-58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
-21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
-
-double newsqrt(x)
-double x;
-{
-        double y,z,t,addc(),subc()
-	double const b54=134217728.*134217728.; /* b54=2**54 */
-        long mx,scalx;
-	long const mexp=0x7ff00000;
-        int i,j,r,e,swapINX(),swapRM(),swapENI();
-        unsigned long *py=(unsigned long *) &y   ,
-                      *pt=(unsigned long *) &t   ,
-                      *px=(unsigned long *) &x   ;
-#ifdef national         /* ordering of word in a floating point number */
-        const int n0=1, n1=0;
-#else
-        const int n0=0, n1=1;
-#endif
-/* Rounding Mode:  RN ...round-to-nearest
- *                 RZ ...round-towards 0
- *                 RP ...round-towards +INF
- *		   RM ...round-towards -INF
- */
-        const int RN=0,RZ=1,RP=2,RM=3;
-				/* machine dependent: work on a Zilog Z8070
-                                 * and a National 32081 & 16081
-                                 */
-
-/* exceptions */
-	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
-        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
-
-/* save, reset, initialize */
-        e=swapENI(0);   /* ...save and reset the inexact enable */
-        i=swapINX(0);   /* ...save INEXACT flag */
-        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
-        scalx=0;
-
-/* subnormal number, scale up x to x*2**54 */
-        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
-
-/* scale x to avoid intermediate over/underflow:
- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
-        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
-        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
-
-/* magic initial approximation to almost 8 sig. bits */
-        py[n0]=(px[n0]>>1)+0x1ff80000;
-        py[n0]=py[n0]-table[(py[n0]>>15)&31];
-
-/* Heron's rule once with correction to improve y to almost 18 sig. bits */
-        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
-
-/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
-        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
-        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
-
-/* twiddle last bit to force y correctly rounded */
-        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
-        swapINX(0);     /* ...clear INEXACT flag */
-        swapENI(e);     /* ...restore inexact enable status */
-        t=x/y;          /* ...chopped quotient, possibly inexact */
-        j=swapINX(i);   /* ...read and restore inexact flag */
-        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
-        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
-        if(r==RN) t=addc(t);            /* ...t=t+ulp */
-        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
-        y=y+t;                          /* ...chopped sum */
-        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
-end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
-        swapRM(r);                      /* ...restore Rounding Mode */
-        return(y);
-}
-#endif

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=872dfa5c522f125ea0ae7678c4cd9af17b527c2a

commit 872dfa5c522f125ea0ae7678c4cd9af17b527c2a
Merge: a9d9272 ca2910c c415bd7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:57 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a9d9272935702bc331ddd43b63c32af71ed58b7f

commit a9d9272935702bc331ddd43b63c32af71ed58b7f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:57 2013 -0300

    float

diff --git a/meta b/meta
index 0689931..635f98d 100644
--- a/meta
+++ b/meta
@@ -1,11 +1,11 @@
 Version: 1
-Previous: db95c6393f559d6cb9b4cbf00010033c0f577e78
-Head: 06e4960536888589dff34cbc68b16091f303bc5e
+Previous: c415bd7267d6aa4084922144b7ec8fba624935d3
+Head: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
 Applied:
   powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
+  unused-scalb-is-scalbn.patch: ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
 Unapplied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
-  unused-scalb-is-scalbn.patch: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
   manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785
   manual-document-mt-safety-arith.patch: f44135c2502e59169f999d4373ae92b799a3243f
   manual-document-mt-safety-charset.patch: c4b388232d899078a1b6d6a59f8c81d91b48f0a1
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 7c99769..eec1d7e 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,5 +1,5 @@
-Bottom: d924767fdd94034e5ddf99b3e5a9291d4c5a5366
-Top:    34670202bf46f8c2807d998163a3ae485669f59e
+Bottom: b937cc635d4d2275aefa75f55fe195e302fbe4e3
+Top:    0cde62ba14858955eaea55ab1c1dff0f01f3a01a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f

commit ca2910ce3d85f4ab9b8c4e8d31bc243eab5f1c0f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c415bd7267d6aa4084922144b7ec8fba624935d3

commit c415bd7267d6aa4084922144b7ec8fba624935d3
Merge: de4f085 06e4960 db95c63
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:53 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=de4f0851f3b84b058d2d72cc8eefa20bd46f30e7

commit de4f0851f3b84b058d2d72cc8eefa20bd46f30e7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:53 2013 -0300

    float

diff --git a/meta b/meta
index ef55652..0689931 100644
--- a/meta
+++ b/meta
@@ -1,10 +1,10 @@
 Version: 1
-Previous: 81f115354cd3a8197aefc51902185576074e32e4
-Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
+Previous: db95c6393f559d6cb9b4cbf00010033c0f577e78
+Head: 06e4960536888589dff34cbc68b16091f303bc5e
 Applied:
+  powerpc-nofpu-sim-note-nothread.patch: 06e4960536888589dff34cbc68b16091f303bc5e
 Unapplied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
-  powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
   unused-scalb-is-scalbn.patch: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
   manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785
   manual-document-mt-safety-arith.patch: f44135c2502e59169f999d4373ae92b799a3243f
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index 3a80ccf..5a7513e 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,5 +1,5 @@
-Bottom: ec44285035bdee25fdfdd25c2385cb08deeced27
-Top:    d924767fdd94034e5ddf99b3e5a9291d4c5a5366
+Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
+Top:    b937cc635d4d2275aefa75f55fe195e302fbe4e3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=06e4960536888589dff34cbc68b16091f303bc5e

commit 06e4960536888589dff34cbc68b16091f303bc5e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
index fc061d0..e167033 100644
--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
@@ -21,6 +21,11 @@
 #include "soft-fp.h"
 #include "soft-supp.h"
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 /* Global to store sticky exceptions.  */
 int __sim_exceptions __attribute__ ((nocommon));
 libc_hidden_data_def (__sim_exceptions);
diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
index b9638bb..64a3d2a 100644
--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
@@ -26,6 +26,11 @@ typedef union
 } fenv_union_t;
 
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;
diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
index c2a190e..508d869 100644
--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
@@ -54,6 +54,11 @@
 #define FP_ROUNDMODE          __sim_round_mode
 #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=db95c6393f559d6cb9b4cbf00010033c0f577e78

commit db95c6393f559d6cb9b4cbf00010033c0f577e78
Merge: d14e19d ca0a6bc 81f1153
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:35 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d14e19deed286c0fbd17306a13ad325799419113

commit d14e19deed286c0fbd17306a13ad325799419113
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:35 2013 -0300

    pop

diff --git a/meta b/meta
index 2ecd428..ef55652 100644
--- a/meta
+++ b/meta
@@ -1,11 +1,11 @@
 Version: 1
-Previous: 2429ba8875e1151438adb059a52ce5cda78efcfc
-Head: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
+Previous: 81f115354cd3a8197aefc51902185576074e32e4
+Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
 Applied:
+Unapplied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
   powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
   unused-scalb-is-scalbn.patch: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
-Unapplied:
   manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785
   manual-document-mt-safety-arith.patch: f44135c2502e59169f999d4373ae92b799a3243f
   manual-document-mt-safety-charset.patch: c4b388232d899078a1b6d6a59f8c81d91b48f0a1

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=81f115354cd3a8197aefc51902185576074e32e4

commit 81f115354cd3a8197aefc51902185576074e32e4
Merge: 8ce4879 2429ba8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:29 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8ce4879c69c50f37ff786a66e006601fe5d8e928

commit 8ce4879c69c50f37ff786a66e006601fe5d8e928
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:29 2013 -0300

    push

diff --git a/meta b/meta
index d16bc1b..2ecd428 100644
--- a/meta
+++ b/meta
@@ -1,11 +1,11 @@
 Version: 1
-Previous: 67bebf05cfcd9447ef623112efcb210a278428e4
-Head: e34ecb782685d8b4d0d6a9badd3c4860d373179a
+Previous: 2429ba8875e1151438adb059a52ce5cda78efcfc
+Head: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
 Applied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
   powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
-Unapplied:
   unused-scalb-is-scalbn.patch: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
+Unapplied:
   manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785
   manual-document-mt-safety-arith.patch: f44135c2502e59169f999d4373ae92b799a3243f
   manual-document-mt-safety-charset.patch: c4b388232d899078a1b6d6a59f8c81d91b48f0a1

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2429ba8875e1151438adb059a52ce5cda78efcfc

commit 2429ba8875e1151438adb059a52ce5cda78efcfc
Merge: 47da830 67bebf0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:25 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=47da83057f825a6b7627cf670c06a7675018381c

commit 47da83057f825a6b7627cf670c06a7675018381c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:25 2013 -0300

    push

diff --git a/meta b/meta
index 150277b..d16bc1b 100644
--- a/meta
+++ b/meta
@@ -1,10 +1,10 @@
 Version: 1
-Previous: 4cdf74a8af171ed0c171c50a282b215e381e6b23
-Head: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
+Previous: 67bebf05cfcd9447ef623112efcb210a278428e4
+Head: e34ecb782685d8b4d0d6a9badd3c4860d373179a
 Applied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
-Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
+Unapplied:
   unused-scalb-is-scalbn.patch: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
   manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785
   manual-document-mt-safety-arith.patch: f44135c2502e59169f999d4373ae92b799a3243f

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=67bebf05cfcd9447ef623112efcb210a278428e4

commit 67bebf05cfcd9447ef623112efcb210a278428e4
Merge: 88d75e8 4cdf74a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:24 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=88d75e83597fab87a8753685c78e8e905cb9d169

commit 88d75e83597fab87a8753685c78e8e905cb9d169
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:24 2013 -0300

    push

diff --git a/meta b/meta
index c9f485f..150277b 100644
--- a/meta
+++ b/meta
@@ -1,9 +1,9 @@
 Version: 1
-Previous: a13b35864a913a00009770907a5956526404cf5c
-Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
+Previous: 4cdf74a8af171ed0c171c50a282b215e381e6b23
+Head: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
 Applied:
-Unapplied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
+Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
   unused-scalb-is-scalbn.patch: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
   manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4cdf74a8af171ed0c171c50a282b215e381e6b23

commit 4cdf74a8af171ed0c171c50a282b215e381e6b23
Merge: 874ce9a ca0a6bc a13b358
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:20 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=874ce9aa723092e2ad86eaa9c6ab9be731fcdc33

commit 874ce9aa723092e2ad86eaa9c6ab9be731fcdc33
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:20 2013 -0300

    pop

diff --git a/meta b/meta
index e99cc26..c9f485f 100644
--- a/meta
+++ b/meta
@@ -1,7 +1,8 @@
 Version: 1
-Previous: 6491c384a0a95e8bf2201fcc6a6a87b191b4f3fb
-Head: 29601892fc048942d31e8e0d1768365ced9a95de
+Previous: a13b35864a913a00009770907a5956526404cf5c
+Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
 Applied:
+Unapplied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
   powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
   unused-scalb-is-scalbn.patch: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
@@ -30,5 +31,4 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: a876db182b7283130d6189eb55ea401d35053850
   wip-manual-document-mt-safety-time.patch: f24766f16a7fc05837ee864671592bdd230d4631
   remove-ieee754-support.patch: 29601892fc048942d31e8e0d1768365ced9a95de
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a13b35864a913a00009770907a5956526404cf5c

commit a13b35864a913a00009770907a5956526404cf5c
Merge: f692e91 2960189 6491c38
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:14 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f692e913b70221a5d615965b41cd4c677e23ab5e

commit f692e913b70221a5d615965b41cd4c677e23ab5e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:14 2013 -0300

    refresh

diff --git a/meta b/meta
index c9b4d63..e99cc26 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 575a99ada411dcc3ddc0be92200cbf114537f7b5
-Head: 45704a90d0c02a27353a86cce2023a7cff0850a8
+Previous: 6491c384a0a95e8bf2201fcc6a6a87b191b4f3fb
+Head: 29601892fc048942d31e8e0d1768365ced9a95de
 Applied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
   powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
@@ -29,7 +29,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 88d6db1efac30fda4ced56f1f651174b35cf5214
   wip-manual-document-mt-safety-threads.patch: a876db182b7283130d6189eb55ea401d35053850
   wip-manual-document-mt-safety-time.patch: f24766f16a7fc05837ee864671592bdd230d4631
-  remove-ieee754-support.patch: 511350628e6d67533247487df877b6b5c8110398
-  refresh-temp: 45704a90d0c02a27353a86cce2023a7cff0850a8
+  remove-ieee754-support.patch: 29601892fc048942d31e8e0d1768365ced9a95de
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 1ea4fb8..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,535 +0,0 @@
-Bottom: b84a5f688770814e8732185c0f64b14903b5b29a
-Top:    9cd1ed610c81866354975c873c2429e57421212a
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 00:33:13 -0300
-
-Refresh of remove-ieee754-support.patch
-
----
-
-diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
-deleted file mode 100644
-index 0bbd892f..0000000
---- a/sysdeps/ieee754/support.c
-+++ /dev/null
-@@ -1,520 +0,0 @@
--/*
-- * Copyright (c) 1985, 1993
-- *	The Regents of the University of California.  All rights reserved.
-- *
-- * Redistribution and use in source and binary forms, with or without
-- * modification, are permitted provided that the following conditions
-- * are met:
-- * 1. Redistributions of source code must retain the above copyright
-- *    notice, this list of conditions and the following disclaimer.
-- * 2. Redistributions in binary form must reproduce the above copyright
-- *    notice, this list of conditions and the following disclaimer in the
-- *    documentation and/or other materials provided with the distribution.
-- * 4. Neither the name of the University nor the names of its contributors
-- *    may be used to endorse or promote products derived from this software
-- *    without specific prior written permission.
-- *
-- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-- * SUCH DAMAGE.
-- */
--
--#ifndef lint
--static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
--#endif /* not lint */
--
--/*
-- * Some IEEE standard 754 recommended functions and remainder and sqrt for
-- * supporting the C elementary functions.
-- ******************************************************************************
-- * WARNING:
-- *      These codes are developed (in double) to support the C elementary
-- * functions temporarily. They are not universal, and some of them are very
-- * slow (in particular, drem and sqrt is extremely inefficient). Each
-- * computer system should have its implementation of these functions using
-- * its own assembler.
-- ******************************************************************************
-- *
-- * IEEE 754 required operations:
-- *     drem(x,p)
-- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
-- *              nearest x/y; in half way case, choose the even one.
-- *     sqrt(x)
-- *              returns the square root of x correctly rounded according to
-- *		the rounding mod.
-- *
-- * IEEE 754 recommended functions:
-- * (a) copysign(x,y)
-- *              returns x with the sign of y.
-- * (b) scalb(x,N)
-- *              returns  x * (2**N), for integer values N.
-- * (c) logb(x)
-- *              returns the unbiased exponent of x, a signed integer in
-- *              double precision, except that logb(0) is -INF, logb(INF)
-- *              is +INF, and logb(NAN) is that NAN.
-- * (d) finite(x)
-- *              returns the value TRUE if -INF < x < +INF and returns
-- *              FALSE otherwise.
-- *
-- *
-- * CODED IN C BY K.C. NG, 11/25/84;
-- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
-- */
--
--#include "mathimpl.h"
--
--#if defined(vax)||defined(tahoe)      /* VAX D format */
--#include <errno.h>
--    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
--    static const short  prep1=57, gap=7, bias=129           ;
--    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
--#else	/* defined(vax)||defined(tahoe) */
--    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
--    static const short prep1=54, gap=4, bias=1023           ;
--    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
--#endif	/* defined(vax)||defined(tahoe) */
--
--double scalbn(x,N)
--double x; int N;
--{
--        int k;
--
--#ifdef national
--        unsigned short *px=(unsigned short *) &x + 3;
--#else	/* national */
--        unsigned short *px=(unsigned short *) &x;
--#endif	/* national */
--
--        if( x == zero )  return(x);
--
--#if defined(vax)||defined(tahoe)
--        if( (k= *px & mexp ) != ~msign ) {
--            if (N < -260)
--		return(nunf*nunf);
--	    else if (N > 260) {
--		return(copysign(infnan(ERANGE),x));
--	    }
--#else	/* defined(vax)||defined(tahoe) */
--        if( (k= *px & mexp ) != mexp ) {
--            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
--            if( k == 0 ) {
--                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
--#endif	/* defined(vax)||defined(tahoe) */
--
--            if((k = (k>>gap)+ N) > 0 )
--                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
--                else x=novf+novf;               /* overflow */
--            else
--                if( k > -prep1 )
--                                        /* gradual underflow */
--                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
--                else
--                return(nunf*nunf);
--            }
--        return(x);
--}
--
--
--double copysign(x,y)
--double x,y;
--{
--#ifdef national
--        unsigned short  *px=(unsigned short *) &x+3,
--                        *py=(unsigned short *) &y+3;
--#else	/* national */
--        unsigned short  *px=(unsigned short *) &x,
--                        *py=(unsigned short *) &y;
--#endif	/* national */
--
--#if defined(vax)||defined(tahoe)
--        if ( (*px & mexp) == 0 ) return(x);
--#endif	/* defined(vax)||defined(tahoe) */
--
--        *px = ( *px & msign ) | ( *py & ~msign );
--        return(x);
--}
--
--double logb(x)
--double x;
--{
--
--#ifdef national
--        short *px=(short *) &x+3, k;
--#else	/* national */
--        short *px=(short *) &x, k;
--#endif	/* national */
--
--#if defined(vax)||defined(tahoe)
--        return (int)(((*px&mexp)>>gap)-bias);
--#else	/* defined(vax)||defined(tahoe) */
--        if( (k= *px & mexp ) != mexp )
--            if ( k != 0 )
--                return ( (k>>gap) - bias );
--            else if( x != zero)
--                return ( -1022.0 );
--            else
--                return(-(1.0/zero));
--        else if(x != x)
--            return(x);
--        else
--            {*px &= msign; return(x);}
--#endif	/* defined(vax)||defined(tahoe) */
--}
--
--finite(x)
--double x;
--{
--#if defined(vax)||defined(tahoe)
--        return(1);
--#else	/* defined(vax)||defined(tahoe) */
--#ifdef national
--        return( (*((short *) &x+3 ) & mexp ) != mexp );
--#else	/* national */
--        return( (*((short *) &x ) & mexp ) != mexp );
--#endif	/* national */
--#endif	/* defined(vax)||defined(tahoe) */
--}
--
--double drem(x,p)
--double x,p;
--{
--        short sign;
--        double hp,dp,tmp;
--        unsigned short  k;
--#ifdef national
--        unsigned short
--              *px=(unsigned short *) &x  +3,
--              *pp=(unsigned short *) &p  +3,
--              *pd=(unsigned short *) &dp +3,
--              *pt=(unsigned short *) &tmp+3;
--#else	/* national */
--        unsigned short
--              *px=(unsigned short *) &x  ,
--              *pp=(unsigned short *) &p  ,
--              *pd=(unsigned short *) &dp ,
--              *pt=(unsigned short *) &tmp;
--#endif	/* national */
--
--        *pp &= msign ;
--
--#if defined(vax)||defined(tahoe)
--        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
--#else	/* defined(vax)||defined(tahoe) */
--        if( ( *px & mexp ) == mexp )
--#endif	/* defined(vax)||defined(tahoe) */
--		return  (x-p)-(x-p);	/* create nan if x is inf */
--	if (p == zero) {
--#if defined(vax)||defined(tahoe)
--		return(infnan(EDOM));
--#else	/* defined(vax)||defined(tahoe) */
--		return zero/zero;
--#endif	/* defined(vax)||defined(tahoe) */
--	}
--
--#if defined(vax)||defined(tahoe)
--        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
--#else	/* defined(vax)||defined(tahoe) */
--        if( ( *pp & mexp ) == mexp )
--#endif	/* defined(vax)||defined(tahoe) */
--		{ if (p != p) return p; else return x;}
--
--        else  if ( ((*pp & mexp)>>gap) <= 1 )
--                /* subnormal p, or almost subnormal p */
--            { double b; b=scalbn(1.0,(int)prep1);
--              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
--        else  if ( p >= novf/2)
--            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
--        else
--            {
--                dp=p+p; hp=p/2;
--                sign= *px & ~msign ;
--                *px &= msign       ;
--                while ( x > dp )
--                    {
--                        k=(*px & mexp) - (*pd & mexp) ;
--                        tmp = dp ;
--                        *pt += k ;
--
--#if defined(vax)||defined(tahoe)
--                        if( x < tmp ) *pt -= 128 ;
--#else	/* defined(vax)||defined(tahoe) */
--                        if( x < tmp ) *pt -= 16 ;
--#endif	/* defined(vax)||defined(tahoe) */
--
--                        x -= tmp ;
--                    }
--                if ( x > hp )
--                    { x -= p ;  if ( x >= hp ) x -= p ; }
--
--#if defined(vax)||defined(tahoe)
--		if (x)
--#endif	/* defined(vax)||defined(tahoe) */
--			*px ^= sign;
--                return( x);
--
--            }
--}
--
--
--double sqrt(x)
--double x;
--{
--        double q,s,b,r;
--        double t;
--	double const zero=0.0;
--        int m,n,i;
--#if defined(vax)||defined(tahoe)
--        int k=54;
--#else	/* defined(vax)||defined(tahoe) */
--        int k=51;
--#endif	/* defined(vax)||defined(tahoe) */
--
--    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
--        if(x!=x||x==zero) return(x);
--
--    /* sqrt(negative) is invalid */
--        if(x<zero) {
--#if defined(vax)||defined(tahoe)
--		return (infnan(EDOM));	/* NaN */
--#else	/* defined(vax)||defined(tahoe) */
--		return(zero/zero);
--#endif	/* defined(vax)||defined(tahoe) */
--	}
--
--    /* sqrt(INF) is INF */
--        if(!finite(x)) return(x);
--
--    /* scale x to [1,4) */
--        n=logb(x);
--        x=scalbn(x,-n);
--        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
--        m += n;
--        n = m/2;
--        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
--
--    /* generate sqrt(x) bit by bit (accumulating in q) */
--            q=1.0; s=4.0; x -= 1.0; r=1;
--            for(i=1;i<=k;i++) {
--                t=s+1; x *= 4; r /= 2;
--                if(t<=x) {
--                    s=t+t+2, x -= t; q += r;}
--                else
--                    s *= 2;
--                }
--
--    /* generate the last bit and determine the final rounding */
--            r/=2; x *= 4;
--            if(x==zero) goto end; 100+r; /* trigger inexact flag */
--            if(s<x) {
--                q+=r; x -=s; s += 2; s *= 2; x *= 4;
--                t = (x-s)-5;
--                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
--                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
--                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
--            else {
--                s *= 2; x *= 4;
--                t = (x-s)-1;
--                b=1.0+3*r/4; if(b==1.0) goto end;
--                b=1.0+r/4;   if(b>1.0) t=1;
--                if(t>=0) q+=r; }
--
--end:        return(scalbn(q,n));
--}
--
--#if 0
--/* DREM(X,Y)
-- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
-- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
-- * INTENDED FOR ASSEMBLY LANGUAGE
-- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
-- *
-- * Warning: this code should not get compiled in unless ALL of
-- * the following machine-dependent routines are supplied.
-- *
-- * Required machine dependent functions (not on a VAX):
-- *     swapINX(i): save inexact flag and reset it to "i"
-- *     swapENI(e): save inexact enable and reset it to "e"
-- */
--
--double drem(x,y)
--double x,y;
--{
--
--#ifdef national		/* order of words in floating point number */
--	static const n0=3,n1=2,n2=1,n3=0;
--#else /* VAX, SUN, ZILOG, TAHOE */
--	static const n0=0,n1=1,n2=2,n3=3;
--#endif
--
--	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
--	static const double zero=0.0;
--	double hy,y1,t,t1;
--	short k;
--	long n;
--	int i,e;
--	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
--			nx,nf,	  *py  =(unsigned short *) &y  ,
--			sign,	  *pt  =(unsigned short *) &t  ,
--				  *pt1 =(unsigned short *) &t1 ;
--
--	xexp = px[n0] & mexp ;	/* exponent of x */
--	yexp = py[n0] & mexp ;	/* exponent of y */
--	sign = px[n0] &0x8000;	/* sign of x     */
--
--/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
--	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
--	if( xexp == mexp )   return(zero/zero);      /* x is INF */
--	if(y==zero) return(y/y);
--
--/* save the inexact flag and inexact enable in i and e respectively
-- * and reset them to zero
-- */
--	i=swapINX(0);	e=swapENI(0);
--
--/* subnormal number */
--	nx=0;
--	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
--
--/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
--	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
--
--	nf=nx;
--	py[n0] &= 0x7fff;
--	px[n0] &= 0x7fff;
--
--/* mask off the least significant 27 bits of y */
--	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
--
--/* LOOP: argument reduction on x whenever x > y */
--loop:
--	while ( x > y )
--	{
--	    t=y;
--	    t1=y1;
--	    xexp=px[n0]&mexp;	  /* exponent of x */
--	    k=xexp-yexp-m25;
--	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
--		{pt[n0]+=k;pt1[n0]+=k;}
--	    n=x/t; x=(x-n*t1)-n*(t-t1);
--	}
--    /* end while (x > y) */
--
--	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
--
--/* final adjustment */
--
--	hy=y/2.0;
--	if(x>hy||((x==hy)&&n%2==1)) x-=y;
--	px[n0] ^= sign;
--	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
--
--/* restore inexact flag and inexact enable */
--	swapINX(i); swapENI(e);
--
--	return(x);
--}
--#endif
--
--#if 0
--/* SQRT
-- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
-- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
-- * CODED IN C BY K.C. NG, 3/22/85.
-- *
-- * Warning: this code should not get compiled in unless ALL of
-- * the following machine-dependent routines are supplied.
-- *
-- * Required machine dependent functions:
-- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
-- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
-- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
-- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
-- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
-- */
--
--static const unsigned long table[] = {
--0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
--58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
--21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
--
--double newsqrt(x)
--double x;
--{
--        double y,z,t,addc(),subc()
--	double const b54=134217728.*134217728.; /* b54=2**54 */
--        long mx,scalx;
--	long const mexp=0x7ff00000;
--        int i,j,r,e,swapINX(),swapRM(),swapENI();
--        unsigned long *py=(unsigned long *) &y   ,
--                      *pt=(unsigned long *) &t   ,
--                      *px=(unsigned long *) &x   ;
--#ifdef national         /* ordering of word in a floating point number */
--        const int n0=1, n1=0;
--#else
--        const int n0=0, n1=1;
--#endif
--/* Rounding Mode:  RN ...round-to-nearest
-- *                 RZ ...round-towards 0
-- *                 RP ...round-towards +INF
-- *		   RM ...round-towards -INF
-- */
--        const int RN=0,RZ=1,RP=2,RM=3;
--				/* machine dependent: work on a Zilog Z8070
--                                 * and a National 32081 & 16081
--                                 */
--
--/* exceptions */
--	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
--	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
--        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
--
--/* save, reset, initialize */
--        e=swapENI(0);   /* ...save and reset the inexact enable */
--        i=swapINX(0);   /* ...save INEXACT flag */
--        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
--        scalx=0;
--
--/* subnormal number, scale up x to x*2**54 */
--        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
--
--/* scale x to avoid intermediate over/underflow:
-- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
--        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
--        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
--
--/* magic initial approximation to almost 8 sig. bits */
--        py[n0]=(px[n0]>>1)+0x1ff80000;
--        py[n0]=py[n0]-table[(py[n0]>>15)&31];
--
--/* Heron's rule once with correction to improve y to almost 18 sig. bits */
--        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
--
--/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
--        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
--        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
--
--/* twiddle last bit to force y correctly rounded */
--        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
--        swapINX(0);     /* ...clear INEXACT flag */
--        swapENI(e);     /* ...restore inexact enable status */
--        t=x/y;          /* ...chopped quotient, possibly inexact */
--        j=swapINX(i);   /* ...read and restore inexact flag */
--        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
--        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
--        if(r==RN) t=addc(t);            /* ...t=t+ulp */
--        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
--        y=y+t;                          /* ...chopped sum */
--        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
--end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
--        swapRM(r);                      /* ...restore Rounding Mode */
--        return(y);
--}
--#endif
diff --git a/patches/remove-ieee754-support.patch b/patches/remove-ieee754-support.patch
index 940c1a6..1b82d3a 100644
--- a/patches/remove-ieee754-support.patch
+++ b/patches/remove-ieee754-support.patch
@@ -1,5 +1,5 @@
 Bottom: b84a5f688770814e8732185c0f64b14903b5b29a
-Top:    b84a5f688770814e8732185c0f64b14903b5b29a
+Top:    9cd1ed610c81866354975c873c2429e57421212a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-16 00:32:53 -0300
 
@@ -12,4 +12,529 @@ for  ChangeLog
 
 ---
 
-
+diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
+deleted file mode 100644
+index 0bbd892f..0000000
+--- a/sysdeps/ieee754/support.c
++++ /dev/null
+@@ -1,520 +0,0 @@
+-/*
+- * Copyright (c) 1985, 1993
+- *	The Regents of the University of California.  All rights reserved.
+- *
+- * Redistribution and use in source and binary forms, with or without
+- * modification, are permitted provided that the following conditions
+- * are met:
+- * 1. Redistributions of source code must retain the above copyright
+- *    notice, this list of conditions and the following disclaimer.
+- * 2. Redistributions in binary form must reproduce the above copyright
+- *    notice, this list of conditions and the following disclaimer in the
+- *    documentation and/or other materials provided with the distribution.
+- * 4. Neither the name of the University nor the names of its contributors
+- *    may be used to endorse or promote products derived from this software
+- *    without specific prior written permission.
+- *
+- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+- * SUCH DAMAGE.
+- */
+-
+-#ifndef lint
+-static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
+-#endif /* not lint */
+-
+-/*
+- * Some IEEE standard 754 recommended functions and remainder and sqrt for
+- * supporting the C elementary functions.
+- ******************************************************************************
+- * WARNING:
+- *      These codes are developed (in double) to support the C elementary
+- * functions temporarily. They are not universal, and some of them are very
+- * slow (in particular, drem and sqrt is extremely inefficient). Each
+- * computer system should have its implementation of these functions using
+- * its own assembler.
+- ******************************************************************************
+- *
+- * IEEE 754 required operations:
+- *     drem(x,p)
+- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
+- *              nearest x/y; in half way case, choose the even one.
+- *     sqrt(x)
+- *              returns the square root of x correctly rounded according to
+- *		the rounding mod.
+- *
+- * IEEE 754 recommended functions:
+- * (a) copysign(x,y)
+- *              returns x with the sign of y.
+- * (b) scalb(x,N)
+- *              returns  x * (2**N), for integer values N.
+- * (c) logb(x)
+- *              returns the unbiased exponent of x, a signed integer in
+- *              double precision, except that logb(0) is -INF, logb(INF)
+- *              is +INF, and logb(NAN) is that NAN.
+- * (d) finite(x)
+- *              returns the value TRUE if -INF < x < +INF and returns
+- *              FALSE otherwise.
+- *
+- *
+- * CODED IN C BY K.C. NG, 11/25/84;
+- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
+- */
+-
+-#include "mathimpl.h"
+-
+-#if defined(vax)||defined(tahoe)      /* VAX D format */
+-#include <errno.h>
+-    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
+-    static const short  prep1=57, gap=7, bias=129           ;
+-    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
+-#else	/* defined(vax)||defined(tahoe) */
+-    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
+-    static const short prep1=54, gap=4, bias=1023           ;
+-    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-double scalbn(x,N)
+-double x; int N;
+-{
+-        int k;
+-
+-#ifdef national
+-        unsigned short *px=(unsigned short *) &x + 3;
+-#else	/* national */
+-        unsigned short *px=(unsigned short *) &x;
+-#endif	/* national */
+-
+-        if( x == zero )  return(x);
+-
+-#if defined(vax)||defined(tahoe)
+-        if( (k= *px & mexp ) != ~msign ) {
+-            if (N < -260)
+-		return(nunf*nunf);
+-	    else if (N > 260) {
+-		return(copysign(infnan(ERANGE),x));
+-	    }
+-#else	/* defined(vax)||defined(tahoe) */
+-        if( (k= *px & mexp ) != mexp ) {
+-            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
+-            if( k == 0 ) {
+-                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-            if((k = (k>>gap)+ N) > 0 )
+-                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
+-                else x=novf+novf;               /* overflow */
+-            else
+-                if( k > -prep1 )
+-                                        /* gradual underflow */
+-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
+-                else
+-                return(nunf*nunf);
+-            }
+-        return(x);
+-}
+-
+-
+-double copysign(x,y)
+-double x,y;
+-{
+-#ifdef national
+-        unsigned short  *px=(unsigned short *) &x+3,
+-                        *py=(unsigned short *) &y+3;
+-#else	/* national */
+-        unsigned short  *px=(unsigned short *) &x,
+-                        *py=(unsigned short *) &y;
+-#endif	/* national */
+-
+-#if defined(vax)||defined(tahoe)
+-        if ( (*px & mexp) == 0 ) return(x);
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-        *px = ( *px & msign ) | ( *py & ~msign );
+-        return(x);
+-}
+-
+-double logb(x)
+-double x;
+-{
+-
+-#ifdef national
+-        short *px=(short *) &x+3, k;
+-#else	/* national */
+-        short *px=(short *) &x, k;
+-#endif	/* national */
+-
+-#if defined(vax)||defined(tahoe)
+-        return (int)(((*px&mexp)>>gap)-bias);
+-#else	/* defined(vax)||defined(tahoe) */
+-        if( (k= *px & mexp ) != mexp )
+-            if ( k != 0 )
+-                return ( (k>>gap) - bias );
+-            else if( x != zero)
+-                return ( -1022.0 );
+-            else
+-                return(-(1.0/zero));
+-        else if(x != x)
+-            return(x);
+-        else
+-            {*px &= msign; return(x);}
+-#endif	/* defined(vax)||defined(tahoe) */
+-}
+-
+-finite(x)
+-double x;
+-{
+-#if defined(vax)||defined(tahoe)
+-        return(1);
+-#else	/* defined(vax)||defined(tahoe) */
+-#ifdef national
+-        return( (*((short *) &x+3 ) & mexp ) != mexp );
+-#else	/* national */
+-        return( (*((short *) &x ) & mexp ) != mexp );
+-#endif	/* national */
+-#endif	/* defined(vax)||defined(tahoe) */
+-}
+-
+-double drem(x,p)
+-double x,p;
+-{
+-        short sign;
+-        double hp,dp,tmp;
+-        unsigned short  k;
+-#ifdef national
+-        unsigned short
+-              *px=(unsigned short *) &x  +3,
+-              *pp=(unsigned short *) &p  +3,
+-              *pd=(unsigned short *) &dp +3,
+-              *pt=(unsigned short *) &tmp+3;
+-#else	/* national */
+-        unsigned short
+-              *px=(unsigned short *) &x  ,
+-              *pp=(unsigned short *) &p  ,
+-              *pd=(unsigned short *) &dp ,
+-              *pt=(unsigned short *) &tmp;
+-#endif	/* national */
+-
+-        *pp &= msign ;
+-
+-#if defined(vax)||defined(tahoe)
+-        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
+-#else	/* defined(vax)||defined(tahoe) */
+-        if( ( *px & mexp ) == mexp )
+-#endif	/* defined(vax)||defined(tahoe) */
+-		return  (x-p)-(x-p);	/* create nan if x is inf */
+-	if (p == zero) {
+-#if defined(vax)||defined(tahoe)
+-		return(infnan(EDOM));
+-#else	/* defined(vax)||defined(tahoe) */
+-		return zero/zero;
+-#endif	/* defined(vax)||defined(tahoe) */
+-	}
+-
+-#if defined(vax)||defined(tahoe)
+-        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
+-#else	/* defined(vax)||defined(tahoe) */
+-        if( ( *pp & mexp ) == mexp )
+-#endif	/* defined(vax)||defined(tahoe) */
+-		{ if (p != p) return p; else return x;}
+-
+-        else  if ( ((*pp & mexp)>>gap) <= 1 )
+-                /* subnormal p, or almost subnormal p */
+-            { double b; b=scalbn(1.0,(int)prep1);
+-              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
+-        else  if ( p >= novf/2)
+-            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
+-        else
+-            {
+-                dp=p+p; hp=p/2;
+-                sign= *px & ~msign ;
+-                *px &= msign       ;
+-                while ( x > dp )
+-                    {
+-                        k=(*px & mexp) - (*pd & mexp) ;
+-                        tmp = dp ;
+-                        *pt += k ;
+-
+-#if defined(vax)||defined(tahoe)
+-                        if( x < tmp ) *pt -= 128 ;
+-#else	/* defined(vax)||defined(tahoe) */
+-                        if( x < tmp ) *pt -= 16 ;
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-                        x -= tmp ;
+-                    }
+-                if ( x > hp )
+-                    { x -= p ;  if ( x >= hp ) x -= p ; }
+-
+-#if defined(vax)||defined(tahoe)
+-		if (x)
+-#endif	/* defined(vax)||defined(tahoe) */
+-			*px ^= sign;
+-                return( x);
+-
+-            }
+-}
+-
+-
+-double sqrt(x)
+-double x;
+-{
+-        double q,s,b,r;
+-        double t;
+-	double const zero=0.0;
+-        int m,n,i;
+-#if defined(vax)||defined(tahoe)
+-        int k=54;
+-#else	/* defined(vax)||defined(tahoe) */
+-        int k=51;
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
+-        if(x!=x||x==zero) return(x);
+-
+-    /* sqrt(negative) is invalid */
+-        if(x<zero) {
+-#if defined(vax)||defined(tahoe)
+-		return (infnan(EDOM));	/* NaN */
+-#else	/* defined(vax)||defined(tahoe) */
+-		return(zero/zero);
+-#endif	/* defined(vax)||defined(tahoe) */
+-	}
+-
+-    /* sqrt(INF) is INF */
+-        if(!finite(x)) return(x);
+-
+-    /* scale x to [1,4) */
+-        n=logb(x);
+-        x=scalbn(x,-n);
+-        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
+-        m += n;
+-        n = m/2;
+-        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
+-
+-    /* generate sqrt(x) bit by bit (accumulating in q) */
+-            q=1.0; s=4.0; x -= 1.0; r=1;
+-            for(i=1;i<=k;i++) {
+-                t=s+1; x *= 4; r /= 2;
+-                if(t<=x) {
+-                    s=t+t+2, x -= t; q += r;}
+-                else
+-                    s *= 2;
+-                }
+-
+-    /* generate the last bit and determine the final rounding */
+-            r/=2; x *= 4;
+-            if(x==zero) goto end; 100+r; /* trigger inexact flag */
+-            if(s<x) {
+-                q+=r; x -=s; s += 2; s *= 2; x *= 4;
+-                t = (x-s)-5;
+-                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
+-                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
+-                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
+-            else {
+-                s *= 2; x *= 4;
+-                t = (x-s)-1;
+-                b=1.0+3*r/4; if(b==1.0) goto end;
+-                b=1.0+r/4;   if(b>1.0) t=1;
+-                if(t>=0) q+=r; }
+-
+-end:        return(scalbn(q,n));
+-}
+-
+-#if 0
+-/* DREM(X,Y)
+- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
+- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
+- * INTENDED FOR ASSEMBLY LANGUAGE
+- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
+- *
+- * Warning: this code should not get compiled in unless ALL of
+- * the following machine-dependent routines are supplied.
+- *
+- * Required machine dependent functions (not on a VAX):
+- *     swapINX(i): save inexact flag and reset it to "i"
+- *     swapENI(e): save inexact enable and reset it to "e"
+- */
+-
+-double drem(x,y)
+-double x,y;
+-{
+-
+-#ifdef national		/* order of words in floating point number */
+-	static const n0=3,n1=2,n2=1,n3=0;
+-#else /* VAX, SUN, ZILOG, TAHOE */
+-	static const n0=0,n1=1,n2=2,n3=3;
+-#endif
+-
+-	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
+-	static const double zero=0.0;
+-	double hy,y1,t,t1;
+-	short k;
+-	long n;
+-	int i,e;
+-	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
+-			nx,nf,	  *py  =(unsigned short *) &y  ,
+-			sign,	  *pt  =(unsigned short *) &t  ,
+-				  *pt1 =(unsigned short *) &t1 ;
+-
+-	xexp = px[n0] & mexp ;	/* exponent of x */
+-	yexp = py[n0] & mexp ;	/* exponent of y */
+-	sign = px[n0] &0x8000;	/* sign of x     */
+-
+-/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
+-	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
+-	if( xexp == mexp )   return(zero/zero);      /* x is INF */
+-	if(y==zero) return(y/y);
+-
+-/* save the inexact flag and inexact enable in i and e respectively
+- * and reset them to zero
+- */
+-	i=swapINX(0);	e=swapENI(0);
+-
+-/* subnormal number */
+-	nx=0;
+-	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
+-
+-/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
+-	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
+-
+-	nf=nx;
+-	py[n0] &= 0x7fff;
+-	px[n0] &= 0x7fff;
+-
+-/* mask off the least significant 27 bits of y */
+-	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
+-
+-/* LOOP: argument reduction on x whenever x > y */
+-loop:
+-	while ( x > y )
+-	{
+-	    t=y;
+-	    t1=y1;
+-	    xexp=px[n0]&mexp;	  /* exponent of x */
+-	    k=xexp-yexp-m25;
+-	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
+-		{pt[n0]+=k;pt1[n0]+=k;}
+-	    n=x/t; x=(x-n*t1)-n*(t-t1);
+-	}
+-    /* end while (x > y) */
+-
+-	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
+-
+-/* final adjustment */
+-
+-	hy=y/2.0;
+-	if(x>hy||((x==hy)&&n%2==1)) x-=y;
+-	px[n0] ^= sign;
+-	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
+-
+-/* restore inexact flag and inexact enable */
+-	swapINX(i); swapENI(e);
+-
+-	return(x);
+-}
+-#endif
+-
+-#if 0
+-/* SQRT
+- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
+- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
+- * CODED IN C BY K.C. NG, 3/22/85.
+- *
+- * Warning: this code should not get compiled in unless ALL of
+- * the following machine-dependent routines are supplied.
+- *
+- * Required machine dependent functions:
+- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
+- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
+- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
+- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
+- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
+- */
+-
+-static const unsigned long table[] = {
+-0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
+-58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
+-21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
+-
+-double newsqrt(x)
+-double x;
+-{
+-        double y,z,t,addc(),subc()
+-	double const b54=134217728.*134217728.; /* b54=2**54 */
+-        long mx,scalx;
+-	long const mexp=0x7ff00000;
+-        int i,j,r,e,swapINX(),swapRM(),swapENI();
+-        unsigned long *py=(unsigned long *) &y   ,
+-                      *pt=(unsigned long *) &t   ,
+-                      *px=(unsigned long *) &x   ;
+-#ifdef national         /* ordering of word in a floating point number */
+-        const int n0=1, n1=0;
+-#else
+-        const int n0=0, n1=1;
+-#endif
+-/* Rounding Mode:  RN ...round-to-nearest
+- *                 RZ ...round-towards 0
+- *                 RP ...round-towards +INF
+- *		   RM ...round-towards -INF
+- */
+-        const int RN=0,RZ=1,RP=2,RM=3;
+-				/* machine dependent: work on a Zilog Z8070
+-                                 * and a National 32081 & 16081
+-                                 */
+-
+-/* exceptions */
+-	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
+-	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
+-        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
+-
+-/* save, reset, initialize */
+-        e=swapENI(0);   /* ...save and reset the inexact enable */
+-        i=swapINX(0);   /* ...save INEXACT flag */
+-        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
+-        scalx=0;
+-
+-/* subnormal number, scale up x to x*2**54 */
+-        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
+-
+-/* scale x to avoid intermediate over/underflow:
+- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
+-        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
+-        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
+-
+-/* magic initial approximation to almost 8 sig. bits */
+-        py[n0]=(px[n0]>>1)+0x1ff80000;
+-        py[n0]=py[n0]-table[(py[n0]>>15)&31];
+-
+-/* Heron's rule once with correction to improve y to almost 18 sig. bits */
+-        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
+-
+-/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
+-        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
+-        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
+-
+-/* twiddle last bit to force y correctly rounded */
+-        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
+-        swapINX(0);     /* ...clear INEXACT flag */
+-        swapENI(e);     /* ...restore inexact enable status */
+-        t=x/y;          /* ...chopped quotient, possibly inexact */
+-        j=swapINX(i);   /* ...read and restore inexact flag */
+-        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
+-        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
+-        if(r==RN) t=addc(t);            /* ...t=t+ulp */
+-        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
+-        y=y+t;                          /* ...chopped sum */
+-        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
+-end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
+-        swapRM(r);                      /* ...restore Rounding Mode */
+-        return(y);
+-}
+-#endif

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6491c384a0a95e8bf2201fcc6a6a87b191b4f3fb

commit 6491c384a0a95e8bf2201fcc6a6a87b191b4f3fb
Merge: 05ca0b2 45704a9 575a99a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:13 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=05ca0b2a9a38829c3bde64e4c0c4e86d03dbb1b7

commit 05ca0b2a9a38829c3bde64e4c0c4e86d03dbb1b7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:13 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index d87c6a4..c9b4d63 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 6befbab55a0494cfde0b24c1273eeaa1bca585d9
-Head: 511350628e6d67533247487df877b6b5c8110398
+Previous: 575a99ada411dcc3ddc0be92200cbf114537f7b5
+Head: 45704a90d0c02a27353a86cce2023a7cff0850a8
 Applied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
   powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
@@ -30,5 +30,6 @@ Applied:
   wip-manual-document-mt-safety-threads.patch: a876db182b7283130d6189eb55ea401d35053850
   wip-manual-document-mt-safety-time.patch: f24766f16a7fc05837ee864671592bdd230d4631
   remove-ieee754-support.patch: 511350628e6d67533247487df877b6b5c8110398
+  refresh-temp: 45704a90d0c02a27353a86cce2023a7cff0850a8
 Unapplied:
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..1ea4fb8
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,535 @@
+Bottom: b84a5f688770814e8732185c0f64b14903b5b29a
+Top:    9cd1ed610c81866354975c873c2429e57421212a
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-16 00:33:13 -0300
+
+Refresh of remove-ieee754-support.patch
+
+---
+
+diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
+deleted file mode 100644
+index 0bbd892f..0000000
+--- a/sysdeps/ieee754/support.c
++++ /dev/null
+@@ -1,520 +0,0 @@
+-/*
+- * Copyright (c) 1985, 1993
+- *	The Regents of the University of California.  All rights reserved.
+- *
+- * Redistribution and use in source and binary forms, with or without
+- * modification, are permitted provided that the following conditions
+- * are met:
+- * 1. Redistributions of source code must retain the above copyright
+- *    notice, this list of conditions and the following disclaimer.
+- * 2. Redistributions in binary form must reproduce the above copyright
+- *    notice, this list of conditions and the following disclaimer in the
+- *    documentation and/or other materials provided with the distribution.
+- * 4. Neither the name of the University nor the names of its contributors
+- *    may be used to endorse or promote products derived from this software
+- *    without specific prior written permission.
+- *
+- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+- * SUCH DAMAGE.
+- */
+-
+-#ifndef lint
+-static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
+-#endif /* not lint */
+-
+-/*
+- * Some IEEE standard 754 recommended functions and remainder and sqrt for
+- * supporting the C elementary functions.
+- ******************************************************************************
+- * WARNING:
+- *      These codes are developed (in double) to support the C elementary
+- * functions temporarily. They are not universal, and some of them are very
+- * slow (in particular, drem and sqrt is extremely inefficient). Each
+- * computer system should have its implementation of these functions using
+- * its own assembler.
+- ******************************************************************************
+- *
+- * IEEE 754 required operations:
+- *     drem(x,p)
+- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
+- *              nearest x/y; in half way case, choose the even one.
+- *     sqrt(x)
+- *              returns the square root of x correctly rounded according to
+- *		the rounding mod.
+- *
+- * IEEE 754 recommended functions:
+- * (a) copysign(x,y)
+- *              returns x with the sign of y.
+- * (b) scalb(x,N)
+- *              returns  x * (2**N), for integer values N.
+- * (c) logb(x)
+- *              returns the unbiased exponent of x, a signed integer in
+- *              double precision, except that logb(0) is -INF, logb(INF)
+- *              is +INF, and logb(NAN) is that NAN.
+- * (d) finite(x)
+- *              returns the value TRUE if -INF < x < +INF and returns
+- *              FALSE otherwise.
+- *
+- *
+- * CODED IN C BY K.C. NG, 11/25/84;
+- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
+- */
+-
+-#include "mathimpl.h"
+-
+-#if defined(vax)||defined(tahoe)      /* VAX D format */
+-#include <errno.h>
+-    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
+-    static const short  prep1=57, gap=7, bias=129           ;
+-    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
+-#else	/* defined(vax)||defined(tahoe) */
+-    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
+-    static const short prep1=54, gap=4, bias=1023           ;
+-    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-double scalbn(x,N)
+-double x; int N;
+-{
+-        int k;
+-
+-#ifdef national
+-        unsigned short *px=(unsigned short *) &x + 3;
+-#else	/* national */
+-        unsigned short *px=(unsigned short *) &x;
+-#endif	/* national */
+-
+-        if( x == zero )  return(x);
+-
+-#if defined(vax)||defined(tahoe)
+-        if( (k= *px & mexp ) != ~msign ) {
+-            if (N < -260)
+-		return(nunf*nunf);
+-	    else if (N > 260) {
+-		return(copysign(infnan(ERANGE),x));
+-	    }
+-#else	/* defined(vax)||defined(tahoe) */
+-        if( (k= *px & mexp ) != mexp ) {
+-            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
+-            if( k == 0 ) {
+-                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-            if((k = (k>>gap)+ N) > 0 )
+-                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
+-                else x=novf+novf;               /* overflow */
+-            else
+-                if( k > -prep1 )
+-                                        /* gradual underflow */
+-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
+-                else
+-                return(nunf*nunf);
+-            }
+-        return(x);
+-}
+-
+-
+-double copysign(x,y)
+-double x,y;
+-{
+-#ifdef national
+-        unsigned short  *px=(unsigned short *) &x+3,
+-                        *py=(unsigned short *) &y+3;
+-#else	/* national */
+-        unsigned short  *px=(unsigned short *) &x,
+-                        *py=(unsigned short *) &y;
+-#endif	/* national */
+-
+-#if defined(vax)||defined(tahoe)
+-        if ( (*px & mexp) == 0 ) return(x);
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-        *px = ( *px & msign ) | ( *py & ~msign );
+-        return(x);
+-}
+-
+-double logb(x)
+-double x;
+-{
+-
+-#ifdef national
+-        short *px=(short *) &x+3, k;
+-#else	/* national */
+-        short *px=(short *) &x, k;
+-#endif	/* national */
+-
+-#if defined(vax)||defined(tahoe)
+-        return (int)(((*px&mexp)>>gap)-bias);
+-#else	/* defined(vax)||defined(tahoe) */
+-        if( (k= *px & mexp ) != mexp )
+-            if ( k != 0 )
+-                return ( (k>>gap) - bias );
+-            else if( x != zero)
+-                return ( -1022.0 );
+-            else
+-                return(-(1.0/zero));
+-        else if(x != x)
+-            return(x);
+-        else
+-            {*px &= msign; return(x);}
+-#endif	/* defined(vax)||defined(tahoe) */
+-}
+-
+-finite(x)
+-double x;
+-{
+-#if defined(vax)||defined(tahoe)
+-        return(1);
+-#else	/* defined(vax)||defined(tahoe) */
+-#ifdef national
+-        return( (*((short *) &x+3 ) & mexp ) != mexp );
+-#else	/* national */
+-        return( (*((short *) &x ) & mexp ) != mexp );
+-#endif	/* national */
+-#endif	/* defined(vax)||defined(tahoe) */
+-}
+-
+-double drem(x,p)
+-double x,p;
+-{
+-        short sign;
+-        double hp,dp,tmp;
+-        unsigned short  k;
+-#ifdef national
+-        unsigned short
+-              *px=(unsigned short *) &x  +3,
+-              *pp=(unsigned short *) &p  +3,
+-              *pd=(unsigned short *) &dp +3,
+-              *pt=(unsigned short *) &tmp+3;
+-#else	/* national */
+-        unsigned short
+-              *px=(unsigned short *) &x  ,
+-              *pp=(unsigned short *) &p  ,
+-              *pd=(unsigned short *) &dp ,
+-              *pt=(unsigned short *) &tmp;
+-#endif	/* national */
+-
+-        *pp &= msign ;
+-
+-#if defined(vax)||defined(tahoe)
+-        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
+-#else	/* defined(vax)||defined(tahoe) */
+-        if( ( *px & mexp ) == mexp )
+-#endif	/* defined(vax)||defined(tahoe) */
+-		return  (x-p)-(x-p);	/* create nan if x is inf */
+-	if (p == zero) {
+-#if defined(vax)||defined(tahoe)
+-		return(infnan(EDOM));
+-#else	/* defined(vax)||defined(tahoe) */
+-		return zero/zero;
+-#endif	/* defined(vax)||defined(tahoe) */
+-	}
+-
+-#if defined(vax)||defined(tahoe)
+-        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
+-#else	/* defined(vax)||defined(tahoe) */
+-        if( ( *pp & mexp ) == mexp )
+-#endif	/* defined(vax)||defined(tahoe) */
+-		{ if (p != p) return p; else return x;}
+-
+-        else  if ( ((*pp & mexp)>>gap) <= 1 )
+-                /* subnormal p, or almost subnormal p */
+-            { double b; b=scalbn(1.0,(int)prep1);
+-              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
+-        else  if ( p >= novf/2)
+-            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
+-        else
+-            {
+-                dp=p+p; hp=p/2;
+-                sign= *px & ~msign ;
+-                *px &= msign       ;
+-                while ( x > dp )
+-                    {
+-                        k=(*px & mexp) - (*pd & mexp) ;
+-                        tmp = dp ;
+-                        *pt += k ;
+-
+-#if defined(vax)||defined(tahoe)
+-                        if( x < tmp ) *pt -= 128 ;
+-#else	/* defined(vax)||defined(tahoe) */
+-                        if( x < tmp ) *pt -= 16 ;
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-                        x -= tmp ;
+-                    }
+-                if ( x > hp )
+-                    { x -= p ;  if ( x >= hp ) x -= p ; }
+-
+-#if defined(vax)||defined(tahoe)
+-		if (x)
+-#endif	/* defined(vax)||defined(tahoe) */
+-			*px ^= sign;
+-                return( x);
+-
+-            }
+-}
+-
+-
+-double sqrt(x)
+-double x;
+-{
+-        double q,s,b,r;
+-        double t;
+-	double const zero=0.0;
+-        int m,n,i;
+-#if defined(vax)||defined(tahoe)
+-        int k=54;
+-#else	/* defined(vax)||defined(tahoe) */
+-        int k=51;
+-#endif	/* defined(vax)||defined(tahoe) */
+-
+-    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
+-        if(x!=x||x==zero) return(x);
+-
+-    /* sqrt(negative) is invalid */
+-        if(x<zero) {
+-#if defined(vax)||defined(tahoe)
+-		return (infnan(EDOM));	/* NaN */
+-#else	/* defined(vax)||defined(tahoe) */
+-		return(zero/zero);
+-#endif	/* defined(vax)||defined(tahoe) */
+-	}
+-
+-    /* sqrt(INF) is INF */
+-        if(!finite(x)) return(x);
+-
+-    /* scale x to [1,4) */
+-        n=logb(x);
+-        x=scalbn(x,-n);
+-        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
+-        m += n;
+-        n = m/2;
+-        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
+-
+-    /* generate sqrt(x) bit by bit (accumulating in q) */
+-            q=1.0; s=4.0; x -= 1.0; r=1;
+-            for(i=1;i<=k;i++) {
+-                t=s+1; x *= 4; r /= 2;
+-                if(t<=x) {
+-                    s=t+t+2, x -= t; q += r;}
+-                else
+-                    s *= 2;
+-                }
+-
+-    /* generate the last bit and determine the final rounding */
+-            r/=2; x *= 4;
+-            if(x==zero) goto end; 100+r; /* trigger inexact flag */
+-            if(s<x) {
+-                q+=r; x -=s; s += 2; s *= 2; x *= 4;
+-                t = (x-s)-5;
+-                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
+-                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
+-                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
+-            else {
+-                s *= 2; x *= 4;
+-                t = (x-s)-1;
+-                b=1.0+3*r/4; if(b==1.0) goto end;
+-                b=1.0+r/4;   if(b>1.0) t=1;
+-                if(t>=0) q+=r; }
+-
+-end:        return(scalbn(q,n));
+-}
+-
+-#if 0
+-/* DREM(X,Y)
+- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
+- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
+- * INTENDED FOR ASSEMBLY LANGUAGE
+- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
+- *
+- * Warning: this code should not get compiled in unless ALL of
+- * the following machine-dependent routines are supplied.
+- *
+- * Required machine dependent functions (not on a VAX):
+- *     swapINX(i): save inexact flag and reset it to "i"
+- *     swapENI(e): save inexact enable and reset it to "e"
+- */
+-
+-double drem(x,y)
+-double x,y;
+-{
+-
+-#ifdef national		/* order of words in floating point number */
+-	static const n0=3,n1=2,n2=1,n3=0;
+-#else /* VAX, SUN, ZILOG, TAHOE */
+-	static const n0=0,n1=1,n2=2,n3=3;
+-#endif
+-
+-	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
+-	static const double zero=0.0;
+-	double hy,y1,t,t1;
+-	short k;
+-	long n;
+-	int i,e;
+-	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
+-			nx,nf,	  *py  =(unsigned short *) &y  ,
+-			sign,	  *pt  =(unsigned short *) &t  ,
+-				  *pt1 =(unsigned short *) &t1 ;
+-
+-	xexp = px[n0] & mexp ;	/* exponent of x */
+-	yexp = py[n0] & mexp ;	/* exponent of y */
+-	sign = px[n0] &0x8000;	/* sign of x     */
+-
+-/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
+-	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
+-	if( xexp == mexp )   return(zero/zero);      /* x is INF */
+-	if(y==zero) return(y/y);
+-
+-/* save the inexact flag and inexact enable in i and e respectively
+- * and reset them to zero
+- */
+-	i=swapINX(0);	e=swapENI(0);
+-
+-/* subnormal number */
+-	nx=0;
+-	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
+-
+-/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
+-	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
+-
+-	nf=nx;
+-	py[n0] &= 0x7fff;
+-	px[n0] &= 0x7fff;
+-
+-/* mask off the least significant 27 bits of y */
+-	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
+-
+-/* LOOP: argument reduction on x whenever x > y */
+-loop:
+-	while ( x > y )
+-	{
+-	    t=y;
+-	    t1=y1;
+-	    xexp=px[n0]&mexp;	  /* exponent of x */
+-	    k=xexp-yexp-m25;
+-	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
+-		{pt[n0]+=k;pt1[n0]+=k;}
+-	    n=x/t; x=(x-n*t1)-n*(t-t1);
+-	}
+-    /* end while (x > y) */
+-
+-	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
+-
+-/* final adjustment */
+-
+-	hy=y/2.0;
+-	if(x>hy||((x==hy)&&n%2==1)) x-=y;
+-	px[n0] ^= sign;
+-	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
+-
+-/* restore inexact flag and inexact enable */
+-	swapINX(i); swapENI(e);
+-
+-	return(x);
+-}
+-#endif
+-
+-#if 0
+-/* SQRT
+- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
+- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
+- * CODED IN C BY K.C. NG, 3/22/85.
+- *
+- * Warning: this code should not get compiled in unless ALL of
+- * the following machine-dependent routines are supplied.
+- *
+- * Required machine dependent functions:
+- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
+- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
+- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
+- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
+- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
+- */
+-
+-static const unsigned long table[] = {
+-0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
+-58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
+-21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
+-
+-double newsqrt(x)
+-double x;
+-{
+-        double y,z,t,addc(),subc()
+-	double const b54=134217728.*134217728.; /* b54=2**54 */
+-        long mx,scalx;
+-	long const mexp=0x7ff00000;
+-        int i,j,r,e,swapINX(),swapRM(),swapENI();
+-        unsigned long *py=(unsigned long *) &y   ,
+-                      *pt=(unsigned long *) &t   ,
+-                      *px=(unsigned long *) &x   ;
+-#ifdef national         /* ordering of word in a floating point number */
+-        const int n0=1, n1=0;
+-#else
+-        const int n0=0, n1=1;
+-#endif
+-/* Rounding Mode:  RN ...round-to-nearest
+- *                 RZ ...round-towards 0
+- *                 RP ...round-towards +INF
+- *		   RM ...round-towards -INF
+- */
+-        const int RN=0,RZ=1,RP=2,RM=3;
+-				/* machine dependent: work on a Zilog Z8070
+-                                 * and a National 32081 & 16081
+-                                 */
+-
+-/* exceptions */
+-	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
+-	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
+-        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
+-
+-/* save, reset, initialize */
+-        e=swapENI(0);   /* ...save and reset the inexact enable */
+-        i=swapINX(0);   /* ...save INEXACT flag */
+-        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
+-        scalx=0;
+-
+-/* subnormal number, scale up x to x*2**54 */
+-        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
+-
+-/* scale x to avoid intermediate over/underflow:
+- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
+-        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
+-        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
+-
+-/* magic initial approximation to almost 8 sig. bits */
+-        py[n0]=(px[n0]>>1)+0x1ff80000;
+-        py[n0]=py[n0]-table[(py[n0]>>15)&31];
+-
+-/* Heron's rule once with correction to improve y to almost 18 sig. bits */
+-        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
+-
+-/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
+-        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
+-        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
+-
+-/* twiddle last bit to force y correctly rounded */
+-        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
+-        swapINX(0);     /* ...clear INEXACT flag */
+-        swapENI(e);     /* ...restore inexact enable status */
+-        t=x/y;          /* ...chopped quotient, possibly inexact */
+-        j=swapINX(i);   /* ...read and restore inexact flag */
+-        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
+-        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
+-        if(r==RN) t=addc(t);            /* ...t=t+ulp */
+-        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
+-        y=y+t;                          /* ...chopped sum */
+-        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
+-end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
+-        swapRM(r);                      /* ...restore Rounding Mode */
+-        return(y);
+-}
+-#endif

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=45704a90d0c02a27353a86cce2023a7cff0850a8

commit 45704a90d0c02a27353a86cce2023a7cff0850a8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:33:13 2013 -0300

    Refresh of remove-ieee754-support.patch

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
deleted file mode 100644
index 0bbd892..0000000
--- a/sysdeps/ieee754/support.c
+++ /dev/null
@@ -1,520 +0,0 @@
-/*
- * Copyright (c) 1985, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
-#endif /* not lint */
-
-/*
- * Some IEEE standard 754 recommended functions and remainder and sqrt for
- * supporting the C elementary functions.
- ******************************************************************************
- * WARNING:
- *      These codes are developed (in double) to support the C elementary
- * functions temporarily. They are not universal, and some of them are very
- * slow (in particular, drem and sqrt is extremely inefficient). Each
- * computer system should have its implementation of these functions using
- * its own assembler.
- ******************************************************************************
- *
- * IEEE 754 required operations:
- *     drem(x,p)
- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
- *              nearest x/y; in half way case, choose the even one.
- *     sqrt(x)
- *              returns the square root of x correctly rounded according to
- *		the rounding mod.
- *
- * IEEE 754 recommended functions:
- * (a) copysign(x,y)
- *              returns x with the sign of y.
- * (b) scalb(x,N)
- *              returns  x * (2**N), for integer values N.
- * (c) logb(x)
- *              returns the unbiased exponent of x, a signed integer in
- *              double precision, except that logb(0) is -INF, logb(INF)
- *              is +INF, and logb(NAN) is that NAN.
- * (d) finite(x)
- *              returns the value TRUE if -INF < x < +INF and returns
- *              FALSE otherwise.
- *
- *
- * CODED IN C BY K.C. NG, 11/25/84;
- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
- */
-
-#include "mathimpl.h"
-
-#if defined(vax)||defined(tahoe)      /* VAX D format */
-#include <errno.h>
-    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
-    static const short  prep1=57, gap=7, bias=129           ;
-    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
-#else	/* defined(vax)||defined(tahoe) */
-    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
-    static const short prep1=54, gap=4, bias=1023           ;
-    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
-#endif	/* defined(vax)||defined(tahoe) */
-
-double scalbn(x,N)
-double x; int N;
-{
-        int k;
-
-#ifdef national
-        unsigned short *px=(unsigned short *) &x + 3;
-#else	/* national */
-        unsigned short *px=(unsigned short *) &x;
-#endif	/* national */
-
-        if( x == zero )  return(x);
-
-#if defined(vax)||defined(tahoe)
-        if( (k= *px & mexp ) != ~msign ) {
-            if (N < -260)
-		return(nunf*nunf);
-	    else if (N > 260) {
-		return(copysign(infnan(ERANGE),x));
-	    }
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp ) {
-            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
-            if( k == 0 ) {
-                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
-#endif	/* defined(vax)||defined(tahoe) */
-
-            if((k = (k>>gap)+ N) > 0 )
-                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
-                else x=novf+novf;               /* overflow */
-            else
-                if( k > -prep1 )
-                                        /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
-                else
-                return(nunf*nunf);
-            }
-        return(x);
-}
-
-
-double copysign(x,y)
-double x,y;
-{
-#ifdef national
-        unsigned short  *px=(unsigned short *) &x+3,
-                        *py=(unsigned short *) &y+3;
-#else	/* national */
-        unsigned short  *px=(unsigned short *) &x,
-                        *py=(unsigned short *) &y;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        if ( (*px & mexp) == 0 ) return(x);
-#endif	/* defined(vax)||defined(tahoe) */
-
-        *px = ( *px & msign ) | ( *py & ~msign );
-        return(x);
-}
-
-double logb(x)
-double x;
-{
-
-#ifdef national
-        short *px=(short *) &x+3, k;
-#else	/* national */
-        short *px=(short *) &x, k;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        return (int)(((*px&mexp)>>gap)-bias);
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp )
-            if ( k != 0 )
-                return ( (k>>gap) - bias );
-            else if( x != zero)
-                return ( -1022.0 );
-            else
-                return(-(1.0/zero));
-        else if(x != x)
-            return(x);
-        else
-            {*px &= msign; return(x);}
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-finite(x)
-double x;
-{
-#if defined(vax)||defined(tahoe)
-        return(1);
-#else	/* defined(vax)||defined(tahoe) */
-#ifdef national
-        return( (*((short *) &x+3 ) & mexp ) != mexp );
-#else	/* national */
-        return( (*((short *) &x ) & mexp ) != mexp );
-#endif	/* national */
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-double drem(x,p)
-double x,p;
-{
-        short sign;
-        double hp,dp,tmp;
-        unsigned short  k;
-#ifdef national
-        unsigned short
-              *px=(unsigned short *) &x  +3,
-              *pp=(unsigned short *) &p  +3,
-              *pd=(unsigned short *) &dp +3,
-              *pt=(unsigned short *) &tmp+3;
-#else	/* national */
-        unsigned short
-              *px=(unsigned short *) &x  ,
-              *pp=(unsigned short *) &p  ,
-              *pd=(unsigned short *) &dp ,
-              *pt=(unsigned short *) &tmp;
-#endif	/* national */
-
-        *pp &= msign ;
-
-#if defined(vax)||defined(tahoe)
-        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *px & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		return  (x-p)-(x-p);	/* create nan if x is inf */
-	if (p == zero) {
-#if defined(vax)||defined(tahoe)
-		return(infnan(EDOM));
-#else	/* defined(vax)||defined(tahoe) */
-		return zero/zero;
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-#if defined(vax)||defined(tahoe)
-        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *pp & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		{ if (p != p) return p; else return x;}
-
-        else  if ( ((*pp & mexp)>>gap) <= 1 )
-                /* subnormal p, or almost subnormal p */
-            { double b; b=scalbn(1.0,(int)prep1);
-              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
-        else  if ( p >= novf/2)
-            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
-        else
-            {
-                dp=p+p; hp=p/2;
-                sign= *px & ~msign ;
-                *px &= msign       ;
-                while ( x > dp )
-                    {
-                        k=(*px & mexp) - (*pd & mexp) ;
-                        tmp = dp ;
-                        *pt += k ;
-
-#if defined(vax)||defined(tahoe)
-                        if( x < tmp ) *pt -= 128 ;
-#else	/* defined(vax)||defined(tahoe) */
-                        if( x < tmp ) *pt -= 16 ;
-#endif	/* defined(vax)||defined(tahoe) */
-
-                        x -= tmp ;
-                    }
-                if ( x > hp )
-                    { x -= p ;  if ( x >= hp ) x -= p ; }
-
-#if defined(vax)||defined(tahoe)
-		if (x)
-#endif	/* defined(vax)||defined(tahoe) */
-			*px ^= sign;
-                return( x);
-
-            }
-}
-
-
-double sqrt(x)
-double x;
-{
-        double q,s,b,r;
-        double t;
-	double const zero=0.0;
-        int m,n,i;
-#if defined(vax)||defined(tahoe)
-        int k=54;
-#else	/* defined(vax)||defined(tahoe) */
-        int k=51;
-#endif	/* defined(vax)||defined(tahoe) */
-
-    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-        if(x!=x||x==zero) return(x);
-
-    /* sqrt(negative) is invalid */
-        if(x<zero) {
-#if defined(vax)||defined(tahoe)
-		return (infnan(EDOM));	/* NaN */
-#else	/* defined(vax)||defined(tahoe) */
-		return(zero/zero);
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-    /* sqrt(INF) is INF */
-        if(!finite(x)) return(x);
-
-    /* scale x to [1,4) */
-        n=logb(x);
-        x=scalbn(x,-n);
-        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
-        m += n;
-        n = m/2;
-        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
-
-    /* generate sqrt(x) bit by bit (accumulating in q) */
-            q=1.0; s=4.0; x -= 1.0; r=1;
-            for(i=1;i<=k;i++) {
-                t=s+1; x *= 4; r /= 2;
-                if(t<=x) {
-                    s=t+t+2, x -= t; q += r;}
-                else
-                    s *= 2;
-                }
-
-    /* generate the last bit and determine the final rounding */
-            r/=2; x *= 4;
-            if(x==zero) goto end; 100+r; /* trigger inexact flag */
-            if(s<x) {
-                q+=r; x -=s; s += 2; s *= 2; x *= 4;
-                t = (x-s)-5;
-                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
-                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
-                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
-            else {
-                s *= 2; x *= 4;
-                t = (x-s)-1;
-                b=1.0+3*r/4; if(b==1.0) goto end;
-                b=1.0+r/4;   if(b>1.0) t=1;
-                if(t>=0) q+=r; }
-
-end:        return(scalbn(q,n));
-}
-
-#if 0
-/* DREM(X,Y)
- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
- * INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions (not on a VAX):
- *     swapINX(i): save inexact flag and reset it to "i"
- *     swapENI(e): save inexact enable and reset it to "e"
- */
-
-double drem(x,y)
-double x,y;
-{
-
-#ifdef national		/* order of words in floating point number */
-	static const n0=3,n1=2,n2=1,n3=0;
-#else /* VAX, SUN, ZILOG, TAHOE */
-	static const n0=0,n1=1,n2=2,n3=3;
-#endif
-
-	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
-	static const double zero=0.0;
-	double hy,y1,t,t1;
-	short k;
-	long n;
-	int i,e;
-	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
-			nx,nf,	  *py  =(unsigned short *) &y  ,
-			sign,	  *pt  =(unsigned short *) &t  ,
-				  *pt1 =(unsigned short *) &t1 ;
-
-	xexp = px[n0] & mexp ;	/* exponent of x */
-	yexp = py[n0] & mexp ;	/* exponent of y */
-	sign = px[n0] &0x8000;	/* sign of x     */
-
-/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
-	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
-	if( xexp == mexp )   return(zero/zero);      /* x is INF */
-	if(y==zero) return(y/y);
-
-/* save the inexact flag and inexact enable in i and e respectively
- * and reset them to zero
- */
-	i=swapINX(0);	e=swapENI(0);
-
-/* subnormal number */
-	nx=0;
-	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
-
-/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
-	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
-
-	nf=nx;
-	py[n0] &= 0x7fff;
-	px[n0] &= 0x7fff;
-
-/* mask off the least significant 27 bits of y */
-	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
-
-/* LOOP: argument reduction on x whenever x > y */
-loop:
-	while ( x > y )
-	{
-	    t=y;
-	    t1=y1;
-	    xexp=px[n0]&mexp;	  /* exponent of x */
-	    k=xexp-yexp-m25;
-	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
-		{pt[n0]+=k;pt1[n0]+=k;}
-	    n=x/t; x=(x-n*t1)-n*(t-t1);
-	}
-    /* end while (x > y) */
-
-	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
-
-/* final adjustment */
-
-	hy=y/2.0;
-	if(x>hy||((x==hy)&&n%2==1)) x-=y;
-	px[n0] ^= sign;
-	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
-
-/* restore inexact flag and inexact enable */
-	swapINX(i); swapENI(e);
-
-	return(x);
-}
-#endif
-
-#if 0
-/* SQRT
- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/22/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions:
- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
- */
-
-static const unsigned long table[] = {
-0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
-58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
-21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
-
-double newsqrt(x)
-double x;
-{
-        double y,z,t,addc(),subc()
-	double const b54=134217728.*134217728.; /* b54=2**54 */
-        long mx,scalx;
-	long const mexp=0x7ff00000;
-        int i,j,r,e,swapINX(),swapRM(),swapENI();
-        unsigned long *py=(unsigned long *) &y   ,
-                      *pt=(unsigned long *) &t   ,
-                      *px=(unsigned long *) &x   ;
-#ifdef national         /* ordering of word in a floating point number */
-        const int n0=1, n1=0;
-#else
-        const int n0=0, n1=1;
-#endif
-/* Rounding Mode:  RN ...round-to-nearest
- *                 RZ ...round-towards 0
- *                 RP ...round-towards +INF
- *		   RM ...round-towards -INF
- */
-        const int RN=0,RZ=1,RP=2,RM=3;
-				/* machine dependent: work on a Zilog Z8070
-                                 * and a National 32081 & 16081
-                                 */
-
-/* exceptions */
-	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
-        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
-
-/* save, reset, initialize */
-        e=swapENI(0);   /* ...save and reset the inexact enable */
-        i=swapINX(0);   /* ...save INEXACT flag */
-        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
-        scalx=0;
-
-/* subnormal number, scale up x to x*2**54 */
-        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
-
-/* scale x to avoid intermediate over/underflow:
- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
-        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
-        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
-
-/* magic initial approximation to almost 8 sig. bits */
-        py[n0]=(px[n0]>>1)+0x1ff80000;
-        py[n0]=py[n0]-table[(py[n0]>>15)&31];
-
-/* Heron's rule once with correction to improve y to almost 18 sig. bits */
-        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
-
-/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
-        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
-        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
-
-/* twiddle last bit to force y correctly rounded */
-        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
-        swapINX(0);     /* ...clear INEXACT flag */
-        swapENI(e);     /* ...restore inexact enable status */
-        t=x/y;          /* ...chopped quotient, possibly inexact */
-        j=swapINX(i);   /* ...read and restore inexact flag */
-        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
-        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
-        if(r==RN) t=addc(t);            /* ...t=t+ulp */
-        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
-        y=y+t;                          /* ...chopped sum */
-        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
-end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
-        swapRM(r);                      /* ...restore Rounding Mode */
-        return(y);
-}
-#endif

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=575a99ada411dcc3ddc0be92200cbf114537f7b5

commit 575a99ada411dcc3ddc0be92200cbf114537f7b5
Merge: a11f919 6befbab 5113506
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:32:55 2013 -0300

    new


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a11f9195af1b03dc22326a0153f9916b6d3ad9e2

commit a11f9195af1b03dc22326a0153f9916b6d3ad9e2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:32:55 2013 -0300

    new

diff --git a/meta b/meta
index eac0d19..d87c6a4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 42b5c5b93dd5e0ab073b0976b5571e6df7852de6
-Head: f24766f16a7fc05837ee864671592bdd230d4631
+Previous: 6befbab55a0494cfde0b24c1273eeaa1bca585d9
+Head: 511350628e6d67533247487df877b6b5c8110398
 Applied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
   powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
@@ -29,5 +29,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 88d6db1efac30fda4ced56f1f651174b35cf5214
   wip-manual-document-mt-safety-threads.patch: a876db182b7283130d6189eb55ea401d35053850
   wip-manual-document-mt-safety-time.patch: f24766f16a7fc05837ee864671592bdd230d4631
+  remove-ieee754-support.patch: 511350628e6d67533247487df877b6b5c8110398
 Unapplied:
 Hidden:
diff --git a/patches/remove-ieee754-support.patch b/patches/remove-ieee754-support.patch
new file mode 100644
index 0000000..940c1a6
--- /dev/null
+++ b/patches/remove-ieee754-support.patch
@@ -0,0 +1,15 @@
+Bottom: b84a5f688770814e8732185c0f64b14903b5b29a
+Top:    b84a5f688770814e8732185c0f64b14903b5b29a
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-16 00:32:53 -0300
+
+Remove unused sysdeps/ieee754/support.c.
+
+for  ChangeLog
+
+	* sysdeps/ieee754/support.c: Remove.
+
+
+---
+
+

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=29601892fc048942d31e8e0d1768365ced9a95de

commit 29601892fc048942d31e8e0d1768365ced9a95de
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:32:53 2013 -0300

    Remove unused sysdeps/ieee754/support.c.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c: Remove.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
deleted file mode 100644
index 0bbd892..0000000
--- a/sysdeps/ieee754/support.c
+++ /dev/null
@@ -1,520 +0,0 @@
-/*
- * Copyright (c) 1985, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
-#endif /* not lint */
-
-/*
- * Some IEEE standard 754 recommended functions and remainder and sqrt for
- * supporting the C elementary functions.
- ******************************************************************************
- * WARNING:
- *      These codes are developed (in double) to support the C elementary
- * functions temporarily. They are not universal, and some of them are very
- * slow (in particular, drem and sqrt is extremely inefficient). Each
- * computer system should have its implementation of these functions using
- * its own assembler.
- ******************************************************************************
- *
- * IEEE 754 required operations:
- *     drem(x,p)
- *              returns  x REM y  =  x - [x/y]*y , where [x/y] is the integer
- *              nearest x/y; in half way case, choose the even one.
- *     sqrt(x)
- *              returns the square root of x correctly rounded according to
- *		the rounding mod.
- *
- * IEEE 754 recommended functions:
- * (a) copysign(x,y)
- *              returns x with the sign of y.
- * (b) scalb(x,N)
- *              returns  x * (2**N), for integer values N.
- * (c) logb(x)
- *              returns the unbiased exponent of x, a signed integer in
- *              double precision, except that logb(0) is -INF, logb(INF)
- *              is +INF, and logb(NAN) is that NAN.
- * (d) finite(x)
- *              returns the value TRUE if -INF < x < +INF and returns
- *              FALSE otherwise.
- *
- *
- * CODED IN C BY K.C. NG, 11/25/84;
- * REVISED BY K.C. NG on 1/22/85, 2/13/85, 3/24/85.
- */
-
-#include "mathimpl.h"
-
-#if defined(vax)||defined(tahoe)      /* VAX D format */
-#include <errno.h>
-    static const unsigned short msign=0x7fff , mexp =0x7f80 ;
-    static const short  prep1=57, gap=7, bias=129           ;
-    static const double novf=1.7E38, nunf=3.0E-39, zero=0.0 ;
-#else	/* defined(vax)||defined(tahoe) */
-    static const unsigned short msign=0x7fff, mexp =0x7ff0  ;
-    static const short prep1=54, gap=4, bias=1023           ;
-    static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
-#endif	/* defined(vax)||defined(tahoe) */
-
-double scalbn(x,N)
-double x; int N;
-{
-        int k;
-
-#ifdef national
-        unsigned short *px=(unsigned short *) &x + 3;
-#else	/* national */
-        unsigned short *px=(unsigned short *) &x;
-#endif	/* national */
-
-        if( x == zero )  return(x);
-
-#if defined(vax)||defined(tahoe)
-        if( (k= *px & mexp ) != ~msign ) {
-            if (N < -260)
-		return(nunf*nunf);
-	    else if (N > 260) {
-		return(copysign(infnan(ERANGE),x));
-	    }
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp ) {
-            if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
-            if( k == 0 ) {
-                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
-#endif	/* defined(vax)||defined(tahoe) */
-
-            if((k = (k>>gap)+ N) > 0 )
-                if( k < (mexp>>gap) ) *px = (*px&~mexp) | (k<<gap);
-                else x=novf+novf;               /* overflow */
-            else
-                if( k > -prep1 )
-                                        /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
-                else
-                return(nunf*nunf);
-            }
-        return(x);
-}
-
-
-double copysign(x,y)
-double x,y;
-{
-#ifdef national
-        unsigned short  *px=(unsigned short *) &x+3,
-                        *py=(unsigned short *) &y+3;
-#else	/* national */
-        unsigned short  *px=(unsigned short *) &x,
-                        *py=(unsigned short *) &y;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        if ( (*px & mexp) == 0 ) return(x);
-#endif	/* defined(vax)||defined(tahoe) */
-
-        *px = ( *px & msign ) | ( *py & ~msign );
-        return(x);
-}
-
-double logb(x)
-double x;
-{
-
-#ifdef national
-        short *px=(short *) &x+3, k;
-#else	/* national */
-        short *px=(short *) &x, k;
-#endif	/* national */
-
-#if defined(vax)||defined(tahoe)
-        return (int)(((*px&mexp)>>gap)-bias);
-#else	/* defined(vax)||defined(tahoe) */
-        if( (k= *px & mexp ) != mexp )
-            if ( k != 0 )
-                return ( (k>>gap) - bias );
-            else if( x != zero)
-                return ( -1022.0 );
-            else
-                return(-(1.0/zero));
-        else if(x != x)
-            return(x);
-        else
-            {*px &= msign; return(x);}
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-finite(x)
-double x;
-{
-#if defined(vax)||defined(tahoe)
-        return(1);
-#else	/* defined(vax)||defined(tahoe) */
-#ifdef national
-        return( (*((short *) &x+3 ) & mexp ) != mexp );
-#else	/* national */
-        return( (*((short *) &x ) & mexp ) != mexp );
-#endif	/* national */
-#endif	/* defined(vax)||defined(tahoe) */
-}
-
-double drem(x,p)
-double x,p;
-{
-        short sign;
-        double hp,dp,tmp;
-        unsigned short  k;
-#ifdef national
-        unsigned short
-              *px=(unsigned short *) &x  +3,
-              *pp=(unsigned short *) &p  +3,
-              *pd=(unsigned short *) &dp +3,
-              *pt=(unsigned short *) &tmp+3;
-#else	/* national */
-        unsigned short
-              *px=(unsigned short *) &x  ,
-              *pp=(unsigned short *) &p  ,
-              *pd=(unsigned short *) &dp ,
-              *pt=(unsigned short *) &tmp;
-#endif	/* national */
-
-        *pp &= msign ;
-
-#if defined(vax)||defined(tahoe)
-        if( ( *px & mexp ) == ~msign )	/* is x a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *px & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		return  (x-p)-(x-p);	/* create nan if x is inf */
-	if (p == zero) {
-#if defined(vax)||defined(tahoe)
-		return(infnan(EDOM));
-#else	/* defined(vax)||defined(tahoe) */
-		return zero/zero;
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-#if defined(vax)||defined(tahoe)
-        if( ( *pp & mexp ) == ~msign )	/* is p a reserved operand? */
-#else	/* defined(vax)||defined(tahoe) */
-        if( ( *pp & mexp ) == mexp )
-#endif	/* defined(vax)||defined(tahoe) */
-		{ if (p != p) return p; else return x;}
-
-        else  if ( ((*pp & mexp)>>gap) <= 1 )
-                /* subnormal p, or almost subnormal p */
-            { double b; b=scalbn(1.0,(int)prep1);
-              p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
-        else  if ( p >= novf/2)
-            { p /= 2 ; x /= 2; return(drem(x,p)*2);}
-        else
-            {
-                dp=p+p; hp=p/2;
-                sign= *px & ~msign ;
-                *px &= msign       ;
-                while ( x > dp )
-                    {
-                        k=(*px & mexp) - (*pd & mexp) ;
-                        tmp = dp ;
-                        *pt += k ;
-
-#if defined(vax)||defined(tahoe)
-                        if( x < tmp ) *pt -= 128 ;
-#else	/* defined(vax)||defined(tahoe) */
-                        if( x < tmp ) *pt -= 16 ;
-#endif	/* defined(vax)||defined(tahoe) */
-
-                        x -= tmp ;
-                    }
-                if ( x > hp )
-                    { x -= p ;  if ( x >= hp ) x -= p ; }
-
-#if defined(vax)||defined(tahoe)
-		if (x)
-#endif	/* defined(vax)||defined(tahoe) */
-			*px ^= sign;
-                return( x);
-
-            }
-}
-
-
-double sqrt(x)
-double x;
-{
-        double q,s,b,r;
-        double t;
-	double const zero=0.0;
-        int m,n,i;
-#if defined(vax)||defined(tahoe)
-        int k=54;
-#else	/* defined(vax)||defined(tahoe) */
-        int k=51;
-#endif	/* defined(vax)||defined(tahoe) */
-
-    /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-        if(x!=x||x==zero) return(x);
-
-    /* sqrt(negative) is invalid */
-        if(x<zero) {
-#if defined(vax)||defined(tahoe)
-		return (infnan(EDOM));	/* NaN */
-#else	/* defined(vax)||defined(tahoe) */
-		return(zero/zero);
-#endif	/* defined(vax)||defined(tahoe) */
-	}
-
-    /* sqrt(INF) is INF */
-        if(!finite(x)) return(x);
-
-    /* scale x to [1,4) */
-        n=logb(x);
-        x=scalbn(x,-n);
-        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
-        m += n;
-        n = m/2;
-        if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
-
-    /* generate sqrt(x) bit by bit (accumulating in q) */
-            q=1.0; s=4.0; x -= 1.0; r=1;
-            for(i=1;i<=k;i++) {
-                t=s+1; x *= 4; r /= 2;
-                if(t<=x) {
-                    s=t+t+2, x -= t; q += r;}
-                else
-                    s *= 2;
-                }
-
-    /* generate the last bit and determine the final rounding */
-            r/=2; x *= 4;
-            if(x==zero) goto end; 100+r; /* trigger inexact flag */
-            if(s<x) {
-                q+=r; x -=s; s += 2; s *= 2; x *= 4;
-                t = (x-s)-5;
-                b=1.0+3*r/4; if(b==1.0) goto end; /* b==1 : Round-to-zero */
-                b=1.0+r/4;   if(b>1.0) t=1;	/* b>1 : Round-to-(+INF) */
-                if(t>=0) q+=r; }	      /* else: Round-to-nearest */
-            else {
-                s *= 2; x *= 4;
-                t = (x-s)-1;
-                b=1.0+3*r/4; if(b==1.0) goto end;
-                b=1.0+r/4;   if(b>1.0) t=1;
-                if(t>=0) q+=r; }
-
-end:        return(scalbn(q,n));
-}
-
-#if 0
-/* DREM(X,Y)
- * RETURN X REM Y =X-N*Y, N=[X/Y] ROUNDED (ROUNDED TO EVEN IN THE HALF WAY CASE)
- * DOUBLE PRECISION (VAX D format 56 bits, IEEE DOUBLE 53 BITS)
- * INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/23/85, 4/8/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions (not on a VAX):
- *     swapINX(i): save inexact flag and reset it to "i"
- *     swapENI(e): save inexact enable and reset it to "e"
- */
-
-double drem(x,y)
-double x,y;
-{
-
-#ifdef national		/* order of words in floating point number */
-	static const n0=3,n1=2,n2=1,n3=0;
-#else /* VAX, SUN, ZILOG, TAHOE */
-	static const n0=0,n1=1,n2=2,n3=3;
-#endif
-
-	static const unsigned short mexp =0x7ff0, m25 =0x0190, m57 =0x0390;
-	static const double zero=0.0;
-	double hy,y1,t,t1;
-	short k;
-	long n;
-	int i,e;
-	unsigned short xexp,yexp, *px  =(unsigned short *) &x  ,
-			nx,nf,	  *py  =(unsigned short *) &y  ,
-			sign,	  *pt  =(unsigned short *) &t  ,
-				  *pt1 =(unsigned short *) &t1 ;
-
-	xexp = px[n0] & mexp ;	/* exponent of x */
-	yexp = py[n0] & mexp ;	/* exponent of y */
-	sign = px[n0] &0x8000;	/* sign of x     */
-
-/* return NaN if x is NaN, or y is NaN, or x is INF, or y is zero */
-	if(x!=x) return(x); if(y!=y) return(y);	     /* x or y is NaN */
-	if( xexp == mexp )   return(zero/zero);      /* x is INF */
-	if(y==zero) return(y/y);
-
-/* save the inexact flag and inexact enable in i and e respectively
- * and reset them to zero
- */
-	i=swapINX(0);	e=swapENI(0);
-
-/* subnormal number */
-	nx=0;
-	if(yexp==0) {t=1.0,pt[n0]+=m57; y*=t; nx=m57;}
-
-/* if y is tiny (biased exponent <= 57), scale up y to y*2**57 */
-	if( yexp <= m57 ) {py[n0]+=m57; nx+=m57; yexp+=m57;}
-
-	nf=nx;
-	py[n0] &= 0x7fff;
-	px[n0] &= 0x7fff;
-
-/* mask off the least significant 27 bits of y */
-	t=y; pt[n3]=0; pt[n2]&=0xf800; y1=t;
-
-/* LOOP: argument reduction on x whenever x > y */
-loop:
-	while ( x > y )
-	{
-	    t=y;
-	    t1=y1;
-	    xexp=px[n0]&mexp;	  /* exponent of x */
-	    k=xexp-yexp-m25;
-	    if(k>0) 	/* if x/y >= 2**26, scale up y so that x/y < 2**26 */
-		{pt[n0]+=k;pt1[n0]+=k;}
-	    n=x/t; x=(x-n*t1)-n*(t-t1);
-	}
-    /* end while (x > y) */
-
-	if(nx!=0) {t=1.0; pt[n0]+=nx; x*=t; nx=0; goto loop;}
-
-/* final adjustment */
-
-	hy=y/2.0;
-	if(x>hy||((x==hy)&&n%2==1)) x-=y;
-	px[n0] ^= sign;
-	if(nf!=0) { t=1.0; pt[n0]-=nf; x*=t;}
-
-/* restore inexact flag and inexact enable */
-	swapINX(i); swapENI(e);
-
-	return(x);
-}
-#endif
-
-#if 0
-/* SQRT
- * RETURN CORRECTLY ROUNDED (ACCORDING TO THE ROUNDING MODE) SQRT
- * FOR IEEE DOUBLE PRECISION ONLY, INTENDED FOR ASSEMBLY LANGUAGE
- * CODED IN C BY K.C. NG, 3/22/85.
- *
- * Warning: this code should not get compiled in unless ALL of
- * the following machine-dependent routines are supplied.
- *
- * Required machine dependent functions:
- *     swapINX(i)  ...return the status of INEXACT flag and reset it to "i"
- *     swapRM(r)   ...return the current Rounding Mode and reset it to "r"
- *     swapENI(e)  ...return the status of inexact enable and reset it to "e"
- *     addc(t)     ...perform t=t+1 regarding t as a 64 bit unsigned integer
- *     subc(t)     ...perform t=t-1 regarding t as a 64 bit unsigned integer
- */
-
-static const unsigned long table[] = {
-0, 1204, 3062, 5746, 9193, 13348, 18162, 23592, 29598, 36145, 43202, 50740,
-58733, 67158, 75992, 85215, 83599, 71378, 60428, 50647, 41945, 34246, 27478,
-21581, 16499, 12183, 8588, 5674, 3403, 1742, 661, 130, };
-
-double newsqrt(x)
-double x;
-{
-        double y,z,t,addc(),subc()
-	double const b54=134217728.*134217728.; /* b54=2**54 */
-        long mx,scalx;
-	long const mexp=0x7ff00000;
-        int i,j,r,e,swapINX(),swapRM(),swapENI();
-        unsigned long *py=(unsigned long *) &y   ,
-                      *pt=(unsigned long *) &t   ,
-                      *px=(unsigned long *) &x   ;
-#ifdef national         /* ordering of word in a floating point number */
-        const int n0=1, n1=0;
-#else
-        const int n0=0, n1=1;
-#endif
-/* Rounding Mode:  RN ...round-to-nearest
- *                 RZ ...round-towards 0
- *                 RP ...round-towards +INF
- *		   RM ...round-towards -INF
- */
-        const int RN=0,RZ=1,RP=2,RM=3;
-				/* machine dependent: work on a Zilog Z8070
-                                 * and a National 32081 & 16081
-                                 */
-
-/* exceptions */
-	if(x!=x||x==0.0) return(x);  /* sqrt(NaN) is NaN, sqrt(+-0) = +-0 */
-	if(x<0) return((x-x)/(x-x)); /* sqrt(negative) is invalid */
-        if((mx=px[n0]&mexp)==mexp) return(x);  /* sqrt(+INF) is +INF */
-
-/* save, reset, initialize */
-        e=swapENI(0);   /* ...save and reset the inexact enable */
-        i=swapINX(0);   /* ...save INEXACT flag */
-        r=swapRM(RN);   /* ...save and reset the Rounding Mode to RN */
-        scalx=0;
-
-/* subnormal number, scale up x to x*2**54 */
-        if(mx==0) {x *= b54 ; scalx-=0x01b00000;}
-
-/* scale x to avoid intermediate over/underflow:
- * if (x > 2**512) x=x/2**512; if (x < 2**-512) x=x*2**512 */
-        if(mx>0x5ff00000) {px[n0] -= 0x20000000; scalx+= 0x10000000;}
-        if(mx<0x1ff00000) {px[n0] += 0x20000000; scalx-= 0x10000000;}
-
-/* magic initial approximation to almost 8 sig. bits */
-        py[n0]=(px[n0]>>1)+0x1ff80000;
-        py[n0]=py[n0]-table[(py[n0]>>15)&31];
-
-/* Heron's rule once with correction to improve y to almost 18 sig. bits */
-        t=x/y; y=y+t; py[n0]=py[n0]-0x00100006; py[n1]=0;
-
-/* triple to almost 56 sig. bits; now y approx. sqrt(x) to within 1 ulp */
-        t=y*y; z=t;  pt[n0]+=0x00100000; t+=z; z=(x-z)*y;
-        t=z/(t+x) ;  pt[n0]+=0x00100000; y+=t;
-
-/* twiddle last bit to force y correctly rounded */
-        swapRM(RZ);     /* ...set Rounding Mode to round-toward-zero */
-        swapINX(0);     /* ...clear INEXACT flag */
-        swapENI(e);     /* ...restore inexact enable status */
-        t=x/y;          /* ...chopped quotient, possibly inexact */
-        j=swapINX(i);   /* ...read and restore inexact flag */
-        if(j==0) { if(t==y) goto end; else t=subc(t); }  /* ...t=t-ulp */
-        b54+0.1;        /* ..trigger inexact flag, sqrt(x) is inexact */
-        if(r==RN) t=addc(t);            /* ...t=t+ulp */
-        else if(r==RP) { t=addc(t);y=addc(y);}/* ...t=t+ulp;y=y+ulp; */
-        y=y+t;                          /* ...chopped sum */
-        py[n0]=py[n0]-0x00100000;       /* ...correctly rounded sqrt(x) */
-end:    py[n0]=py[n0]+scalx;            /* ...scale back y */
-        swapRM(r);                      /* ...restore Rounding Mode */
-        return(y);
-}
-#endif

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=511350628e6d67533247487df877b6b5c8110398

commit 511350628e6d67533247487df877b6b5c8110398
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:32:53 2013 -0300

    Remove unused sysdeps/ieee754/support.c.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c: Remove.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6befbab55a0494cfde0b24c1273eeaa1bca585d9

commit 6befbab55a0494cfde0b24c1273eeaa1bca585d9
Merge: 804fd3c 42b5c5b f24766f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:24:55 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=804fd3cdcb4c62a56cc3492b16be29a7dab9311a

commit 804fd3cdcb4c62a56cc3492b16be29a7dab9311a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:24:55 2013 -0300

    push

diff --git a/meta b/meta
index b883748..eac0d19 100644
--- a/meta
+++ b/meta
@@ -1,33 +1,33 @@
 Version: 1
-Previous: 31ea81ea2424a6791bb4b12781ca4f80e78f537c
-Head: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
+Previous: 42b5c5b93dd5e0ab073b0976b5571e6df7852de6
+Head: f24766f16a7fc05837ee864671592bdd230d4631
 Applied:
   manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
+  powerpc-nofpu-sim-note-nothread.patch: e34ecb782685d8b4d0d6a9badd3c4860d373179a
+  unused-scalb-is-scalbn.patch: 87cf27bcd012cd8ab3e3040aacaa99b93c037595
+  manual-document-mt-safety-argp.patch: ac784bfbcf7a152d47a16a6cf8627a4bf034b785
+  manual-document-mt-safety-arith.patch: f44135c2502e59169f999d4373ae92b799a3243f
+  manual-document-mt-safety-charset.patch: c4b388232d899078a1b6d6a59f8c81d91b48f0a1
+  manual-document-mt-safety-conf.patch: b5d8ce5c1458b5e838a2863d4ba4baa86c823b28
+  manual-document-mt-safety-crypt.patch: 72ef57b840cd42f1110c069ef69c5000ef9c88b7
+  manual-document-mt-safety-ctype.patch: f60b1d81ad9cb9c6c27a099d76bdc6abcaf790a2
+  manual-document-mt-safety-debug.patch: 68a39285b6322ffa0bc420d57ec68b14f732c4e3
+  manual-document-mt-safety-errno.patch: da9e9ee60c99d6dc0316d8546541e6dd9c0c9b99
+  manual-document-mt-safety-filesys.patch: d0691d184b91c2e2c5698ea76d17dd9f3a122f8f
+  manual-document-mt-safety-getopt.patch: 4a5d90dda6e00313cc5ba8ce421efaa9cb59081b
+  manual-document-mt-safety-libdl.patch: 307bd3daee46ac59346ae246cca438c773592157
+  manual-document-mt-safety-job.patch: 056831666a434aed7f142ee31ad9ca0d6ba2d3bc
+  manual-document-mt-safety-lang.patch: 63d1c42e6da89b0ad4d95cf9389cd10979efbe86
+  manual-document-mt-safety-llio.patch: 949a5e85be3e463201abb3eca47b28d136e6a748
+  manual-document-mt-safety-stdio.patch: fd97e2760a742412d0efb962445d45e5f6c31d25
+  wip-manual-document-mt-safety-locale.patch: 62c5d0311f8340f9adfd4020aaf20fc59b3bf99d
+  wip-manual-document-mt-safety-math.patch: 3c144b261343ed149aabebaf1644836f8cc743e5
+  wip-manual-document-mt-safety-startup.patch: 6300794e9ab2baa967f9a1778dbf68ab1dd6bded
+  wip-manual-document-mt-safety-search.patch: 41d5ae9e5dfbfe26fd2cd56fa6ca85642a89cccc
+  wip-manual-document-mt-safety-resource.patch: 1daf7c7b5916ddc5c68ab1eeb07c507dd20a6c24
+  wip-manual-document-mt-safety-string.patch: 733b88651a82568a50710faeb8984d6b4c9ed92e
+  wip-manual-document-mt-safety-terminal.patch: 88d6db1efac30fda4ced56f1f651174b35cf5214
+  wip-manual-document-mt-safety-threads.patch: a876db182b7283130d6189eb55ea401d35053850
+  wip-manual-document-mt-safety-time.patch: f24766f16a7fc05837ee864671592bdd230d4631
 Unapplied:
-  powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
-  unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
-  manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de
-  manual-document-mt-safety-arith.patch: 838c715e0d3f4c3674975edd26315e143cca1455
-  manual-document-mt-safety-charset.patch: 9e121d9ec8c4633d64cc9744360fbeca9f156bf0
-  manual-document-mt-safety-conf.patch: b2f06012824f907fd1cb35844c2e7a054ddf81f9
-  manual-document-mt-safety-crypt.patch: 93bce6450adbd4597a1a0d96bca4162b367a61c4
-  manual-document-mt-safety-ctype.patch: c67c0318158e4a31db772c98b8828e54db56693e
-  manual-document-mt-safety-debug.patch: 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
-  manual-document-mt-safety-errno.patch: c809e22eb30fc43d15192d36963a8e19f7d65b0c
-  manual-document-mt-safety-filesys.patch: 88f6858a8c928050ef2686d392ea593e05cfc34a
-  manual-document-mt-safety-getopt.patch: f543b69a645a445a7b7484e4e4729387deb00d58
-  manual-document-mt-safety-libdl.patch: 3a6ba503d2949acb7fd0d23fbdaaf056bb0a819f
-  manual-document-mt-safety-job.patch: d2b8bf860b81e8e95130a2b397bd63d3ac29f6f5
-  manual-document-mt-safety-lang.patch: b791ca7244516eba35200090ff65146015bbcf80
-  manual-document-mt-safety-llio.patch: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
-  manual-document-mt-safety-stdio.patch: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
-  wip-manual-document-mt-safety-locale.patch: a7e2ad1ab8005398467e21a1903513ad72c3bb99
-  wip-manual-document-mt-safety-math.patch: 56b87287256294aac20d87cc8fb9f6b7febbe014
-  wip-manual-document-mt-safety-startup.patch: 062ff84a7871423535c7c5f066d10e4090c7538b
-  wip-manual-document-mt-safety-search.patch: b62126da8228002a5ceb39f3a8f8fc1335f71b52
-  wip-manual-document-mt-safety-resource.patch: bffba61b6f949ae966b8395e2285450fd747adae
-  wip-manual-document-mt-safety-string.patch: 618424dc72936ee238334d665063f1dd84a12715
-  wip-manual-document-mt-safety-terminal.patch: 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
-  wip-manual-document-mt-safety-threads.patch: 03deacb6111e143a3cad124bf1aee0d111f3bb81
-  wip-manual-document-mt-safety-time.patch: a4db052d330a9c934252bc3a1489c922ea797683
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 0357d25..8284a1e 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,5 +1,5 @@
-Bottom: 342d93cedbc3899d97eb6abb3179c639ca189041
-Top:    3b3317dffdd8fb0b673f39fa8b5d3c6443f8fc0b
+Bottom: 34670202bf46f8c2807d998163a3ae485669f59e
+Top:    6f7a5e6749ad296a05be499432131dbe19bb6f95
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 21:57:08 -0300
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 9eca6bc..5e36901 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
-Bottom: 3b3317dffdd8fb0b673f39fa8b5d3c6443f8fc0b
-Top:    20fd58920c13f96b1451eda75458a9c942d2094e
+Bottom: 6f7a5e6749ad296a05be499432131dbe19bb6f95
+Top:    defee7a3afc291649a03a852fe89e085e809b1cc
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index 45a1643..9bbb051 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,5 +1,5 @@
-Bottom: 20fd58920c13f96b1451eda75458a9c942d2094e
-Top:    635dade8c2d466563bdeba84575ccfd57214e37e
+Bottom: defee7a3afc291649a03a852fe89e085e809b1cc
+Top:    f0f71d6f601b734abdc7ed68eab96e38b0b2a122
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:01:33 -0300
 
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index ad74927..79c3d28 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,5 +1,5 @@
-Bottom: 635dade8c2d466563bdeba84575ccfd57214e37e
-Top:    45cccd4a47645a41bfaa6a90e93cd3906e8edfa6
+Bottom: f0f71d6f601b734abdc7ed68eab96e38b0b2a122
+Top:    db47a43bafc8d1f8d787b9cfb531d1bc04a01bcc
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:16 -0300
 
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index b799073..57d5762 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,5 +1,5 @@
-Bottom: 45cccd4a47645a41bfaa6a90e93cd3906e8edfa6
-Top:    f7704f5b20f5c9943d0105fa39bc7bb7ffcbb869
+Bottom: db47a43bafc8d1f8d787b9cfb531d1bc04a01bcc
+Top:    989582e2a61eac80aee357a0b3391b88bdf700b8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:47 -0300
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index c5de015..9b2ecd0 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: f7704f5b20f5c9943d0105fa39bc7bb7ffcbb869
-Top:    3de021265ff25f1386d7a7c20b91b2a25d84120f
+Bottom: 989582e2a61eac80aee357a0b3391b88bdf700b8
+Top:    e5a870898375d0f16d290f0ce49ace14c8d4a2d7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index 9b0749d..d851526 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,5 +1,5 @@
-Bottom: 3de021265ff25f1386d7a7c20b91b2a25d84120f
-Top:    548606bab4bd38fa36c7264f1e06dbd818e0a4d4
+Bottom: e5a870898375d0f16d290f0ce49ace14c8d4a2d7
+Top:    18067421e6a29e6bd67a95dca76d8007f8b3208f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:11 -0300
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index 67a101a..ea8bf28 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,5 +1,5 @@
-Bottom: 548606bab4bd38fa36c7264f1e06dbd818e0a4d4
-Top:    94d2ef49874113afaf68e43004adb8da972729b9
+Bottom: 18067421e6a29e6bd67a95dca76d8007f8b3208f
+Top:    69d0870850cf838c0374659f9cbf240c906205b8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:34 -0300
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 5ffc492..3b063f6 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
-Bottom: 94d2ef49874113afaf68e43004adb8da972729b9
-Top:    e32560bf251105655d134b5c41a9b8fdd9801d15
+Bottom: 69d0870850cf838c0374659f9cbf240c906205b8
+Top:    eae3c43e01e0c942f9a5097a40719ef9a00c9572
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:03 -0300
 
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index 54c020d..2514497 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: e32560bf251105655d134b5c41a9b8fdd9801d15
-Top:    7673305db24e0b03187acb8928ddfeca18980793
+Bottom: eae3c43e01e0c942f9a5097a40719ef9a00c9572
+Top:    ca3bfae7ef20886b7aa0e19b97b7e989545ca988
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:36 -0300
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index ce62710..dd7e72e 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: 2b93df95492ad4d1ceb8aa1d1cf8582c93b425b0
-Top:    c6b12eb06e14c9c5162f6f8386fb00a68dff09e7
+Bottom: 238024f7204c47a5f57650bf1249139600a50037
+Top:    0bac2dafb8007c7423049255cfe9f32d92341729
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 93ad7bd..6be420f 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: c6b12eb06e14c9c5162f6f8386fb00a68dff09e7
-Top:    e39567735e51df9a1cbd6f9b527ba0ebaebcbadb
+Bottom: 0bac2dafb8007c7423049255cfe9f32d92341729
+Top:    193841de621025d5ba0a8d8a93cd15e52ed049b0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 96f67fc..de6923e 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: 7673305db24e0b03187acb8928ddfeca18980793
-Top:    2b93df95492ad4d1ceb8aa1d1cf8582c93b425b0
+Bottom: ca3bfae7ef20886b7aa0e19b97b7e989545ca988
+Top:    238024f7204c47a5f57650bf1249139600a50037
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index ede6838..e39088d 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: e39567735e51df9a1cbd6f9b527ba0ebaebcbadb
-Top:    1c79556edf2fc8cdc5742a63361502af02f3a7f6
+Bottom: 193841de621025d5ba0a8d8a93cd15e52ed049b0
+Top:    54dc9cb53a865ae026f28501a469078a5ca48df9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 2534cf3..c79c8a0 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 1c79556edf2fc8cdc5742a63361502af02f3a7f6
-Top:    530229eff374ce006c4c7f955d1d897e0a4056c6
+Bottom: 54dc9cb53a865ae026f28501a469078a5ca48df9
+Top:    f2df3f2410eb8c7978798b2bd791b2fdc45b156d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index c413ed2..3a80ccf 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,5 +1,5 @@
-Bottom: 465695c41ceed4d41aaebf0e135b8f1123912988
-Top:    315c23de417a6094ebe3c8259abcf7f190d93198
+Bottom: ec44285035bdee25fdfdd25c2385cb08deeced27
+Top:    d924767fdd94034e5ddf99b3e5a9291d4c5a5366
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 9b24c12..7c99769 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,5 +1,5 @@
-Bottom: 315c23de417a6094ebe3c8259abcf7f190d93198
-Top:    342d93cedbc3899d97eb6abb3179c639ca189041
+Bottom: d924767fdd94034e5ddf99b3e5a9291d4c5a5366
+Top:    34670202bf46f8c2807d998163a3ae485669f59e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 2cf1838..3a5b6c8 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 530229eff374ce006c4c7f955d1d897e0a4056c6
-Top:    8b03cdaff12cf5536b0a91677ddb1a0ac1f9368e
+Bottom: f2df3f2410eb8c7978798b2bd791b2fdc45b156d
+Top:    34ba4b413ec2770c09b9d2be65d6f179dc931409
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index d65dda1..6160c0a 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 8b03cdaff12cf5536b0a91677ddb1a0ac1f9368e
-Top:    6fc14fb146cab43af0e1bda549c1bb507464c42d
+Bottom: 34ba4b413ec2770c09b9d2be65d6f179dc931409
+Top:    f23d47c6bfcfa87ae920dd9dcae29c054fdf1287
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 274d546..33adf81 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: f51668851ee51ff2a8b1071a4f7537fa90aa45f0
-Top:    dd5da9bcdcb729b4272997ebdbf2d957a18c3919
+Bottom: 8bccd91fa434fbc218a608426cc927d18c5a4741
+Top:    fe51f29d9106a6912de339229dec19e904bbc8e2
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index 1f27ee4..2711dca 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: bcdc447440fd97e86fb3c83635b1c5f6ef3011db
-Top:    f51668851ee51ff2a8b1071a4f7537fa90aa45f0
+Bottom: 4537e5e668ab95e605ff113bad5fec616212481b
+Top:    8bccd91fa434fbc218a608426cc927d18c5a4741
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index f3bfdad..d8463d0 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 6fc14fb146cab43af0e1bda549c1bb507464c42d
-Top:    bcdc447440fd97e86fb3c83635b1c5f6ef3011db
+Bottom: f23d47c6bfcfa87ae920dd9dcae29c054fdf1287
+Top:    4537e5e668ab95e605ff113bad5fec616212481b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index 3fee822..2a09c97 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: dd5da9bcdcb729b4272997ebdbf2d957a18c3919
-Top:    49462a8df64b7650a0f0439d8ebb0709f38313fb
+Bottom: fe51f29d9106a6912de339229dec19e904bbc8e2
+Top:    84c9ce418c9f8b475576cd17329f2eba0eb54cfb
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:24 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 77dcb9b..40452fa 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 49462a8df64b7650a0f0439d8ebb0709f38313fb
-Top:    da17c9be69e48d21ca52d734c608880653385a32
+Bottom: 84c9ce418c9f8b475576cd17329f2eba0eb54cfb
+Top:    39f47ac852160ce679bd115e2adad12da35bb14f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:53 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index 86850be..aee55ed 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: da17c9be69e48d21ca52d734c608880653385a32
-Top:    1055542944ccec75d19150bda526177d2f245c5a
+Bottom: 39f47ac852160ce679bd115e2adad12da35bb14f
+Top:    161db65f6a283f93d796b6d782c90ce82ff5586e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:35 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index f168240..1da1731 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 1055542944ccec75d19150bda526177d2f245c5a
-Top:    13da41faaf0af578a55abbc8971e69874c1f3914
+Bottom: 161db65f6a283f93d796b6d782c90ce82ff5586e
+Top:    b84a5f688770814e8732185c0f64b14903b5b29a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:50 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f24766f16a7fc05837ee864671592bdd230d4631

commit f24766f16a7fc05837ee864671592bdd230d4631
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a876db182b7283130d6189eb55ea401d35053850

commit a876db182b7283130d6189eb55ea401d35053850
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:35 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=88d6db1efac30fda4ced56f1f651174b35cf5214

commit 88d6db1efac30fda4ced56f1f651174b35cf5214
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=733b88651a82568a50710faeb8984d6b4c9ed92e

commit 733b88651a82568a50710faeb8984d6b4c9ed92e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1daf7c7b5916ddc5c68ab1eeb07c507dd20a6c24

commit 1daf7c7b5916ddc5c68ab1eeb07c507dd20a6c24
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=41d5ae9e5dfbfe26fd2cd56fa6ca85642a89cccc

commit 41d5ae9e5dfbfe26fd2cd56fa6ca85642a89cccc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6300794e9ab2baa967f9a1778dbf68ab1dd6bded

commit 6300794e9ab2baa967f9a1778dbf68ab1dd6bded
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3c144b261343ed149aabebaf1644836f8cc743e5

commit 3c144b261343ed149aabebaf1644836f8cc743e5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=62c5d0311f8340f9adfd4020aaf20fc59b3bf99d

commit 62c5d0311f8340f9adfd4020aaf20fc59b3bf99d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fd97e2760a742412d0efb962445d45e5f6c31d25

commit fd97e2760a742412d0efb962445d45e5f6c31d25
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=949a5e85be3e463201abb3eca47b28d136e6a748

commit 949a5e85be3e463201abb3eca47b28d136e6a748
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=63d1c42e6da89b0ad4d95cf9389cd10979efbe86

commit 63d1c42e6da89b0ad4d95cf9389cd10979efbe86
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=056831666a434aed7f142ee31ad9ca0d6ba2d3bc

commit 056831666a434aed7f142ee31ad9ca0d6ba2d3bc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=307bd3daee46ac59346ae246cca438c773592157

commit 307bd3daee46ac59346ae246cca438c773592157
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4a5d90dda6e00313cc5ba8ce421efaa9cb59081b

commit 4a5d90dda6e00313cc5ba8ce421efaa9cb59081b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:36 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d0691d184b91c2e2c5698ea76d17dd9f3a122f8f

commit d0691d184b91c2e2c5698ea76d17dd9f3a122f8f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..47176cc 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=da9e9ee60c99d6dc0316d8546541e6dd9c0c9b99

commit da9e9ee60c99d6dc0316d8546541e6dd9c0c9b99
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=68a39285b6322ffa0bc420d57ec68b14f732c4e3

commit 68a39285b6322ffa0bc420d57ec68b14f732c4e3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:11 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f60b1d81ad9cb9c6c27a099d76bdc6abcaf790a2

commit f60b1d81ad9cb9c6c27a099d76bdc6abcaf790a2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=72ef57b840cd42f1110c069ef69c5000ef9c88b7

commit 72ef57b840cd42f1110c069ef69c5000ef9c88b7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b5d8ce5c1458b5e838a2863d4ba4baa86c823b28

commit b5d8ce5c1458b5e838a2863d4ba4baa86c823b28
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:16 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c4b388232d899078a1b6d6a59f8c81d91b48f0a1

commit c4b388232d899078a1b6d6a59f8c81d91b48f0a1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f44135c2502e59169f999d4373ae92b799a3243f

commit f44135c2502e59169f999d4373ae92b799a3243f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..c0cd350 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ac784bfbcf7a152d47a16a6cf8627a4bf034b785

commit ac784bfbcf7a152d47a16a6cf8627a4bf034b785
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..22e7b9e 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=87cf27bcd012cd8ab3e3040aacaa99b93c037595

commit 87cf27bcd012cd8ab3e3040aacaa99b93c037595
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e34ecb782685d8b4d0d6a9badd3c4860d373179a

commit e34ecb782685d8b4d0d6a9badd3c4860d373179a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
index fc061d0..e167033 100644
--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
@@ -21,6 +21,11 @@
 #include "soft-fp.h"
 #include "soft-supp.h"
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 /* Global to store sticky exceptions.  */
 int __sim_exceptions __attribute__ ((nocommon));
 libc_hidden_data_def (__sim_exceptions);
diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
index b9638bb..64a3d2a 100644
--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
@@ -26,6 +26,11 @@ typedef union
 } fenv_union_t;
 
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;
diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
index c2a190e..508d869 100644
--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
@@ -54,6 +54,11 @@
 #define FP_ROUNDMODE          __sim_round_mode
 #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=42b5c5b93dd5e0ab073b0976b5571e6df7852de6

commit 42b5c5b93dd5e0ab073b0976b5571e6df7852de6
Merge: 83ba23e d2ce932 31ea81e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:24:30 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=83ba23e043930c8d483516356e43e8a28a5f6465

commit 83ba23e043930c8d483516356e43e8a28a5f6465
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:24:29 2013 -0300

    refresh

diff --git a/meta b/meta
index b1b1b47..b883748 100644
--- a/meta
+++ b/meta
@@ -1,9 +1,8 @@
 Version: 1
-Previous: fc9c5a081468d3baafbe6effb97f22f1fa870bc0
-Head: 55e6b3c7d67abdc077766c69e22fcf73fcb2125e
+Previous: 31ea81ea2424a6791bb4b12781ca4f80e78f537c
+Head: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
 Applied:
-  manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
-  refresh-temp: 55e6b3c7d67abdc077766c69e22fcf73fcb2125e
+  manual-document-mt-safety.patch: d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
 Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index 94acf09..c25fc87 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,5 +1,5 @@
 Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
-Top:    465695c41ceed4d41aaebf0e135b8f1123912988
+Top:    ec44285035bdee25fdfdd25c2385cb08deeced27
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
@@ -15,10 +15,10 @@ for  ChangeLog
 ---
 
 diff --git a/manual/intro.texi b/manual/intro.texi
-index deaf089..07f27c9 100644
+index deaf089..d183e12 100644
 --- a/manual/intro.texi
 +++ b/manual/intro.texi
-@@ -172,6 +172,411 @@ pattern matching facilities (@pxref{Pattern Matching}).
+@@ -172,6 +172,412 @@ pattern matching facilities (@pxref{Pattern Matching}).
  @comment <wordexp.h> (not yet implemented)
  @comment confstr
  
@@ -158,9 +158,10 @@ index deaf089..07f27c9 100644
 +@cindex xguargs
 +
 +Functions marked with @code{xguargs} may use or modify objects passed as
-+arguments without any guards to ensure consistency.  To ensure MT- and
-+AS-Safe behavior, callers must ensure that the objects passed in are not
-+modified concurrently by other threads or signal handlers.
++arguments without any guards that could guarantee consistency.  To
++ensure MT- and AS-Safe behavior, callers must ensure that the objects
++passed in are not modified concurrently by other threads or signal
++handlers.
 +
 +
 +@item @code{tempchwd}
@@ -422,7 +423,7 @@ index deaf089..07f27c9 100644
 +vice-versa.
 +
 +For the time being, the absence of this remark does not imply the safety
-+propertes we documentated are identical to those mandated by POSIX for
++properties we documented are identical to those mandated by POSIX for
 +the corresponding functions.
 +
 +@end itemize
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index cdaf528..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,36 +0,0 @@
-Bottom: 465695c41ceed4d41aaebf0e135b8f1123912988
-Top:    ec44285035bdee25fdfdd25c2385cb08deeced27
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-16 00:24:28 -0300
-
-Refresh of manual-document-mt-safety.patch
-
----
-
-diff --git a/manual/intro.texi b/manual/intro.texi
-index 07f27c9..d183e12 100644
---- a/manual/intro.texi
-+++ b/manual/intro.texi
-@@ -308,9 +308,10 @@ locking by the caller are the entire family of stdio functions.
- @cindex xguargs
- 
- Functions marked with @code{xguargs} may use or modify objects passed as
--arguments without any guards to ensure consistency.  To ensure MT- and
--AS-Safe behavior, callers must ensure that the objects passed in are not
--modified concurrently by other threads or signal handlers.
-+arguments without any guards that could guarantee consistency.  To
-+ensure MT- and AS-Safe behavior, callers must ensure that the objects
-+passed in are not modified concurrently by other threads or signal
-+handlers.
- 
- 
- @item @code{tempchwd}
-@@ -572,7 +573,7 @@ require a function to be Safe, but our implementation is Safe, or
- vice-versa.
- 
- For the time being, the absence of this remark does not imply the safety
--propertes we documentated are identical to those mandated by POSIX for
-+properties we documented are identical to those mandated by POSIX for
- the corresponding functions.
- 
- @end itemize

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=31ea81ea2424a6791bb4b12781ca4f80e78f537c

commit 31ea81ea2424a6791bb4b12781ca4f80e78f537c
Merge: bdb6f7d fc9c5a0 55e6b3c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:24:29 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bdb6f7de0663a53b860390c69e09cc4847736b08

commit bdb6f7de0663a53b860390c69e09cc4847736b08
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:24:29 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index fbc1f94..b1b1b47 100644
--- a/meta
+++ b/meta
@@ -1,8 +1,9 @@
 Version: 1
-Previous: b7bb1740606d55f5689517be37ec1b130c48530f
-Head: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
+Previous: fc9c5a081468d3baafbe6effb97f22f1fa870bc0
+Head: 55e6b3c7d67abdc077766c69e22fcf73fcb2125e
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
+  refresh-temp: 55e6b3c7d67abdc077766c69e22fcf73fcb2125e
 Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..cdaf528
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,36 @@
+Bottom: 465695c41ceed4d41aaebf0e135b8f1123912988
+Top:    ec44285035bdee25fdfdd25c2385cb08deeced27
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-16 00:24:28 -0300
+
+Refresh of manual-document-mt-safety.patch
+
+---
+
+diff --git a/manual/intro.texi b/manual/intro.texi
+index 07f27c9..d183e12 100644
+--- a/manual/intro.texi
++++ b/manual/intro.texi
+@@ -308,9 +308,10 @@ locking by the caller are the entire family of stdio functions.
+ @cindex xguargs
+ 
+ Functions marked with @code{xguargs} may use or modify objects passed as
+-arguments without any guards to ensure consistency.  To ensure MT- and
+-AS-Safe behavior, callers must ensure that the objects passed in are not
+-modified concurrently by other threads or signal handlers.
++arguments without any guards that could guarantee consistency.  To
++ensure MT- and AS-Safe behavior, callers must ensure that the objects
++passed in are not modified concurrently by other threads or signal
++handlers.
+ 
+ 
+ @item @code{tempchwd}
+@@ -572,7 +573,7 @@ require a function to be Safe, but our implementation is Safe, or
+ vice-versa.
+ 
+ For the time being, the absence of this remark does not imply the safety
+-propertes we documentated are identical to those mandated by POSIX for
++properties we documented are identical to those mandated by POSIX for
+ the corresponding functions.
+ 
+ @end itemize

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=55e6b3c7d67abdc077766c69e22fcf73fcb2125e

commit 55e6b3c7d67abdc077766c69e22fcf73fcb2125e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:24:28 2013 -0300

    Refresh of manual-document-mt-safety.patch

diff --git a/manual/intro.texi b/manual/intro.texi
index 07f27c9..d183e12 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -308,9 +308,10 @@ locking by the caller are the entire family of stdio functions.
 @cindex xguargs
 
 Functions marked with @code{xguargs} may use or modify objects passed as
-arguments without any guards to ensure consistency.  To ensure MT- and
-AS-Safe behavior, callers must ensure that the objects passed in are not
-modified concurrently by other threads or signal handlers.
+arguments without any guards that could guarantee consistency.  To
+ensure MT- and AS-Safe behavior, callers must ensure that the objects
+passed in are not modified concurrently by other threads or signal
+handlers.
 
 
 @item @code{tempchwd}
@@ -572,7 +573,7 @@ require a function to be Safe, but our implementation is Safe, or
 vice-versa.
 
 For the time being, the absence of this remark does not imply the safety
-propertes we documentated are identical to those mandated by POSIX for
+properties we documented are identical to those mandated by POSIX for
 the corresponding functions.
 
 @end itemize

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fc9c5a081468d3baafbe6effb97f22f1fa870bc0

commit fc9c5a081468d3baafbe6effb97f22f1fa870bc0
Merge: 8c7660e b7bb174
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:22:45 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8c7660e9d127b4f8ac2e8f60f5af55b4e0ccac16

commit 8c7660e9d127b4f8ac2e8f60f5af55b4e0ccac16
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:22:45 2013 -0300

    push

diff --git a/meta b/meta
index 3c86131..fbc1f94 100644
--- a/meta
+++ b/meta
@@ -1,9 +1,9 @@
 Version: 1
-Previous: 024af7cd034b16d576f3ac3711ddc1cb28d17689
-Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
+Previous: b7bb1740606d55f5689517be37ec1b130c48530f
+Head: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
 Applied:
-Unapplied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
+Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
   manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b7bb1740606d55f5689517be37ec1b130c48530f

commit b7bb1740606d55f5689517be37ec1b130c48530f
Merge: c64d069 ca0a6bc 024af7c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:22:42 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c64d069b47c5d012e1c1789f891bd4ead485cdc7

commit c64d069b47c5d012e1c1789f891bd4ead485cdc7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Fri Aug 16 00:22:42 2013 -0300

    pop

diff --git a/meta b/meta
index 4fd9972..3c86131 100644
--- a/meta
+++ b/meta
@@ -1,7 +1,8 @@
 Version: 1
-Previous: 9c69c077521c48a292610b2fdd63a2ee75f324b1
-Head: a4db052d330a9c934252bc3a1489c922ea797683
+Previous: 024af7cd034b16d576f3ac3711ddc1cb28d17689
+Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
 Applied:
+Unapplied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
@@ -29,5 +30,4 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
   wip-manual-document-mt-safety-threads.patch: 03deacb6111e143a3cad124bf1aee0d111f3bb81
   wip-manual-document-mt-safety-time.patch: a4db052d330a9c934252bc3a1489c922ea797683
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=024af7cd034b16d576f3ac3711ddc1cb28d17689

commit 024af7cd034b16d576f3ac3711ddc1cb28d17689
Merge: 34bde4e 9c69c07
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:40:14 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=34bde4e2ea6743d5ff6b87ff48bf5f0d44ad34b6

commit 34bde4e2ea6743d5ff6b87ff48bf5f0d44ad34b6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:40:14 2013 -0300

    push

diff --git a/meta b/meta
index 0070d60..4fd9972 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: fc731fec12b826be460969fe67a3d1f0adc70fd3
-Head: a7e2ad1ab8005398467e21a1903513ad72c3bb99
+Previous: 9c69c077521c48a292610b2fdd63a2ee75f324b1
+Head: a4db052d330a9c934252bc3a1489c922ea797683
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -21,7 +21,6 @@ Applied:
   manual-document-mt-safety-llio.patch: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
   manual-document-mt-safety-stdio.patch: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
   wip-manual-document-mt-safety-locale.patch: a7e2ad1ab8005398467e21a1903513ad72c3bb99
-Unapplied:
   wip-manual-document-mt-safety-math.patch: 56b87287256294aac20d87cc8fb9f6b7febbe014
   wip-manual-document-mt-safety-startup.patch: 062ff84a7871423535c7c5f066d10e4090c7538b
   wip-manual-document-mt-safety-search.patch: b62126da8228002a5ceb39f3a8f8fc1335f71b52
@@ -30,4 +29,5 @@ Unapplied:
   wip-manual-document-mt-safety-terminal.patch: 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
   wip-manual-document-mt-safety-threads.patch: 03deacb6111e143a3cad124bf1aee0d111f3bb81
   wip-manual-document-mt-safety-time.patch: a4db052d330a9c934252bc3a1489c922ea797683
+Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9c69c077521c48a292610b2fdd63a2ee75f324b1

commit 9c69c077521c48a292610b2fdd63a2ee75f324b1
Merge: 5105379 fc731fe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:39:51 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5105379781cf3d9d7f97b4e9aeb4b34d888263ee

commit 5105379781cf3d9d7f97b4e9aeb4b34d888263ee
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:39:51 2013 -0300

    goto

diff --git a/meta b/meta
index 7ccb65b..0070d60 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 188a9c2a1336cf01e4c46641dba1f90a79d73cf2
-Head: a4db052d330a9c934252bc3a1489c922ea797683
+Previous: fc731fec12b826be460969fe67a3d1f0adc70fd3
+Head: a7e2ad1ab8005398467e21a1903513ad72c3bb99
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -21,6 +21,7 @@ Applied:
   manual-document-mt-safety-llio.patch: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
   manual-document-mt-safety-stdio.patch: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
   wip-manual-document-mt-safety-locale.patch: a7e2ad1ab8005398467e21a1903513ad72c3bb99
+Unapplied:
   wip-manual-document-mt-safety-math.patch: 56b87287256294aac20d87cc8fb9f6b7febbe014
   wip-manual-document-mt-safety-startup.patch: 062ff84a7871423535c7c5f066d10e4090c7538b
   wip-manual-document-mt-safety-search.patch: b62126da8228002a5ceb39f3a8f8fc1335f71b52
@@ -29,5 +30,4 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
   wip-manual-document-mt-safety-threads.patch: 03deacb6111e143a3cad124bf1aee0d111f3bb81
   wip-manual-document-mt-safety-time.patch: a4db052d330a9c934252bc3a1489c922ea797683
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fc731fec12b826be460969fe67a3d1f0adc70fd3

commit fc731fec12b826be460969fe67a3d1f0adc70fd3
Merge: ed68c30 a4db052 188a9c2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:36 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ed68c303d6f779bac439014c370ee067d84cd5b9

commit ed68c303d6f779bac439014c370ee067d84cd5b9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:36 2013 -0300

    push

diff --git a/meta b/meta
index c590fb2..7ccb65b 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 6ca4824de83c6cdffa405e64ca12e2ca7d5c044e
-Head: 03deacb6111e143a3cad124bf1aee0d111f3bb81
+Previous: 188a9c2a1336cf01e4c46641dba1f90a79d73cf2
+Head: a4db052d330a9c934252bc3a1489c922ea797683
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -28,6 +28,6 @@ Applied:
   wip-manual-document-mt-safety-string.patch: 618424dc72936ee238334d665063f1dd84a12715
   wip-manual-document-mt-safety-terminal.patch: 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
   wip-manual-document-mt-safety-threads.patch: 03deacb6111e143a3cad124bf1aee0d111f3bb81
+  wip-manual-document-mt-safety-time.patch: a4db052d330a9c934252bc3a1489c922ea797683
 Unapplied:
-  wip-manual-document-mt-safety-time.patch: 4022accc5d1f9f2ae322f8f76488286c694acd7b
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
index ee52a8e..f168240 100644
--- a/patches/wip-manual-document-mt-safety-time.patch
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -1,5 +1,5 @@
-Bottom: 934314e9de7d53f206e47915ea85ef4798ee295a
-Top:    7472b1dd7a8cc8760b98cd08cb7f8418374249ed
+Bottom: 1055542944ccec75d19150bda526177d2f245c5a
+Top:    13da41faaf0af578a55abbc8971e69874c1f3914
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:50 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a4db052d330a9c934252bc3a1489c922ea797683

commit a4db052d330a9c934252bc3a1489c922ea797683
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=188a9c2a1336cf01e4c46641dba1f90a79d73cf2

commit 188a9c2a1336cf01e4c46641dba1f90a79d73cf2
Merge: c3e4f05 03deacb 6ca4824
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:35 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c3e4f05ef5ef05650041900dbd4d5f0a3ba237e9

commit c3e4f05ef5ef05650041900dbd4d5f0a3ba237e9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:35 2013 -0300

    push

diff --git a/meta b/meta
index 453dbe4..c590fb2 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 2cca10d1496cfd37dd55138428d66f765dbeafbe
-Head: 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
+Previous: 6ca4824de83c6cdffa405e64ca12e2ca7d5c044e
+Head: 03deacb6111e143a3cad124bf1aee0d111f3bb81
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -27,7 +27,7 @@ Applied:
   wip-manual-document-mt-safety-resource.patch: bffba61b6f949ae966b8395e2285450fd747adae
   wip-manual-document-mt-safety-string.patch: 618424dc72936ee238334d665063f1dd84a12715
   wip-manual-document-mt-safety-terminal.patch: 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
+  wip-manual-document-mt-safety-threads.patch: 03deacb6111e143a3cad124bf1aee0d111f3bb81
 Unapplied:
-  wip-manual-document-mt-safety-threads.patch: 49c5533ec879c99f89ad9a1ba58929a9739a1254
   wip-manual-document-mt-safety-time.patch: 4022accc5d1f9f2ae322f8f76488286c694acd7b
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
index a8a9208..86850be 100644
--- a/patches/wip-manual-document-mt-safety-threads.patch
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -1,5 +1,5 @@
-Bottom: 9f340cd557aceda321c8ef9f6db21082e5dbdaee
-Top:    934314e9de7d53f206e47915ea85ef4798ee295a
+Bottom: da17c9be69e48d21ca52d734c608880653385a32
+Top:    1055542944ccec75d19150bda526177d2f245c5a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:14:35 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=03deacb6111e143a3cad124bf1aee0d111f3bb81

commit 03deacb6111e143a3cad124bf1aee0d111f3bb81
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:35 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6ca4824de83c6cdffa405e64ca12e2ca7d5c044e

commit 6ca4824de83c6cdffa405e64ca12e2ca7d5c044e
Merge: 9cd0acc 2cca10d 7bdeaf7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:34 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9cd0acc9a99c7672ab8a4eedc1b9af34c2683708

commit 9cd0acc9a99c7672ab8a4eedc1b9af34c2683708
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:34 2013 -0300

    push

diff --git a/meta b/meta
index 35c9bb8..453dbe4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: dda771a556f201b9d0ffccaca415109ccc15a047
-Head: 618424dc72936ee238334d665063f1dd84a12715
+Previous: 2cca10d1496cfd37dd55138428d66f765dbeafbe
+Head: 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -26,8 +26,8 @@ Applied:
   wip-manual-document-mt-safety-search.patch: b62126da8228002a5ceb39f3a8f8fc1335f71b52
   wip-manual-document-mt-safety-resource.patch: bffba61b6f949ae966b8395e2285450fd747adae
   wip-manual-document-mt-safety-string.patch: 618424dc72936ee238334d665063f1dd84a12715
+  wip-manual-document-mt-safety-terminal.patch: 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
 Unapplied:
-  wip-manual-document-mt-safety-terminal.patch: a9f83c82c1746276acceb4928131d8099c0caf6a
   wip-manual-document-mt-safety-threads.patch: 49c5533ec879c99f89ad9a1ba58929a9739a1254
   wip-manual-document-mt-safety-time.patch: 4022accc5d1f9f2ae322f8f76488286c694acd7b
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
index 09d43ed..77dcb9b 100644
--- a/patches/wip-manual-document-mt-safety-terminal.patch
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -1,5 +1,5 @@
-Bottom: 12b763b61e3c2dff9a990b8c3271a64b6febfd63
-Top:    9f340cd557aceda321c8ef9f6db21082e5dbdaee
+Bottom: 49462a8df64b7650a0f0439d8ebb0709f38313fb
+Top:    da17c9be69e48d21ca52d734c608880653385a32
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:53 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3

commit 7bdeaf7b03e2c3668857e0bd1506aff550d8d5a3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2cca10d1496cfd37dd55138428d66f765dbeafbe

commit 2cca10d1496cfd37dd55138428d66f765dbeafbe
Merge: 715e15a dda771a 618424d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:33 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=715e15aad732599ba684b018145e7ac130194323

commit 715e15aad732599ba684b018145e7ac130194323
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:33 2013 -0300

    push

diff --git a/meta b/meta
index f6cc64e..35c9bb8 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 6bf09ff7800d73e6cd33a4d93004a9023f731dc0
-Head: bffba61b6f949ae966b8395e2285450fd747adae
+Previous: dda771a556f201b9d0ffccaca415109ccc15a047
+Head: 618424dc72936ee238334d665063f1dd84a12715
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -25,8 +25,8 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: 062ff84a7871423535c7c5f066d10e4090c7538b
   wip-manual-document-mt-safety-search.patch: b62126da8228002a5ceb39f3a8f8fc1335f71b52
   wip-manual-document-mt-safety-resource.patch: bffba61b6f949ae966b8395e2285450fd747adae
+  wip-manual-document-mt-safety-string.patch: 618424dc72936ee238334d665063f1dd84a12715
 Unapplied:
-  wip-manual-document-mt-safety-string.patch: 1b3406934ca4e3cb676972632387dd5862c26d57
   wip-manual-document-mt-safety-terminal.patch: a9f83c82c1746276acceb4928131d8099c0caf6a
   wip-manual-document-mt-safety-threads.patch: 49c5533ec879c99f89ad9a1ba58929a9739a1254
   wip-manual-document-mt-safety-time.patch: 4022accc5d1f9f2ae322f8f76488286c694acd7b
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
index c2dd68c..3fee822 100644
--- a/patches/wip-manual-document-mt-safety-string.patch
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -1,5 +1,5 @@
-Bottom: 3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
-Top:    12b763b61e3c2dff9a990b8c3271a64b6febfd63
+Bottom: dd5da9bcdcb729b4272997ebdbf2d957a18c3919
+Top:    49462a8df64b7650a0f0439d8ebb0709f38313fb
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:13:24 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=618424dc72936ee238334d665063f1dd84a12715

commit 618424dc72936ee238334d665063f1dd84a12715
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dda771a556f201b9d0ffccaca415109ccc15a047

commit dda771a556f201b9d0ffccaca415109ccc15a047
Merge: 9395746 6bf09ff bffba61
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:32 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=93957467a70cbb07091db9305c660192646c37f6

commit 93957467a70cbb07091db9305c660192646c37f6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:32 2013 -0300

    push

diff --git a/meta b/meta
index 8ad2fec..f6cc64e 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 76bac2d3aff95109ec070609c061d068f345f872
-Head: b62126da8228002a5ceb39f3a8f8fc1335f71b52
+Previous: 6bf09ff7800d73e6cd33a4d93004a9023f731dc0
+Head: bffba61b6f949ae966b8395e2285450fd747adae
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -24,8 +24,8 @@ Applied:
   wip-manual-document-mt-safety-math.patch: 56b87287256294aac20d87cc8fb9f6b7febbe014
   wip-manual-document-mt-safety-startup.patch: 062ff84a7871423535c7c5f066d10e4090c7538b
   wip-manual-document-mt-safety-search.patch: b62126da8228002a5ceb39f3a8f8fc1335f71b52
+  wip-manual-document-mt-safety-resource.patch: bffba61b6f949ae966b8395e2285450fd747adae
 Unapplied:
-  wip-manual-document-mt-safety-resource.patch: ce4ad52cc41d3ae34f10dc5fa29d2d4c2aa08a5c
   wip-manual-document-mt-safety-string.patch: 1b3406934ca4e3cb676972632387dd5862c26d57
   wip-manual-document-mt-safety-terminal.patch: a9f83c82c1746276acceb4928131d8099c0caf6a
   wip-manual-document-mt-safety-threads.patch: 49c5533ec879c99f89ad9a1ba58929a9739a1254
diff --git a/patches/wip-manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
index 4b6d73f..274d546 100644
--- a/patches/wip-manual-document-mt-safety-resource.patch
+++ b/patches/wip-manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 4275437ac31826c5f18c9a5e4b30e85235c02761
-Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
+Bottom: f51668851ee51ff2a8b1071a4f7537fa90aa45f0
+Top:    dd5da9bcdcb729b4272997ebdbf2d957a18c3919
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bffba61b6f949ae966b8395e2285450fd747adae

commit bffba61b6f949ae966b8395e2285450fd747adae
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6bf09ff7800d73e6cd33a4d93004a9023f731dc0

commit 6bf09ff7800d73e6cd33a4d93004a9023f731dc0
Merge: 30e5656 76bac2d b62126d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:31 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=30e5656bae5fa937caa508bb6d04ffd84e59afe2

commit 30e5656bae5fa937caa508bb6d04ffd84e59afe2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:31 2013 -0300

    push

diff --git a/meta b/meta
index 3cfe21d..8ad2fec 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 5d4d522b68a597b9295d8fbabfbe708f3ee416dd
-Head: 062ff84a7871423535c7c5f066d10e4090c7538b
+Previous: 76bac2d3aff95109ec070609c061d068f345f872
+Head: b62126da8228002a5ceb39f3a8f8fc1335f71b52
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -23,8 +23,8 @@ Applied:
   wip-manual-document-mt-safety-locale.patch: a7e2ad1ab8005398467e21a1903513ad72c3bb99
   wip-manual-document-mt-safety-math.patch: 56b87287256294aac20d87cc8fb9f6b7febbe014
   wip-manual-document-mt-safety-startup.patch: 062ff84a7871423535c7c5f066d10e4090c7538b
+  wip-manual-document-mt-safety-search.patch: b62126da8228002a5ceb39f3a8f8fc1335f71b52
 Unapplied:
-  wip-manual-document-mt-safety-search.patch: 75e6004e8dbc695b0cdc9b84249cf1b777fc30b5
   wip-manual-document-mt-safety-resource.patch: ce4ad52cc41d3ae34f10dc5fa29d2d4c2aa08a5c
   wip-manual-document-mt-safety-string.patch: 1b3406934ca4e3cb676972632387dd5862c26d57
   wip-manual-document-mt-safety-terminal.patch: a9f83c82c1746276acceb4928131d8099c0caf6a
diff --git a/patches/wip-manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
index dfc7d5e..1f27ee4 100644
--- a/patches/wip-manual-document-mt-safety-search.patch
+++ b/patches/wip-manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 9e26e65c6f5ad1ae860b4b03c429a90054cbb837
-Top:    4275437ac31826c5f18c9a5e4b30e85235c02761
+Bottom: bcdc447440fd97e86fb3c83635b1c5f6ef3011db
+Top:    f51668851ee51ff2a8b1071a4f7537fa90aa45f0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b62126da8228002a5ceb39f3a8f8fc1335f71b52

commit b62126da8228002a5ceb39f3a8f8fc1335f71b52
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=76bac2d3aff95109ec070609c061d068f345f872

commit 76bac2d3aff95109ec070609c061d068f345f872
Merge: a43410a 5d4d522 062ff84
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:31 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a43410af92a9b5c8eb1b3add852ad8ce57bdff70

commit a43410af92a9b5c8eb1b3add852ad8ce57bdff70
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:31 2013 -0300

    push

diff --git a/meta b/meta
index fab563c..3cfe21d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 4f8bd859aa8ea04e484c884568c95714b760a431
-Head: 56b87287256294aac20d87cc8fb9f6b7febbe014
+Previous: 5d4d522b68a597b9295d8fbabfbe708f3ee416dd
+Head: 062ff84a7871423535c7c5f066d10e4090c7538b
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -22,8 +22,8 @@ Applied:
   manual-document-mt-safety-stdio.patch: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
   wip-manual-document-mt-safety-locale.patch: a7e2ad1ab8005398467e21a1903513ad72c3bb99
   wip-manual-document-mt-safety-math.patch: 56b87287256294aac20d87cc8fb9f6b7febbe014
+  wip-manual-document-mt-safety-startup.patch: 062ff84a7871423535c7c5f066d10e4090c7538b
 Unapplied:
-  wip-manual-document-mt-safety-startup.patch: 3e55489a3bf8f9a9f05d22c1ebbadd2c05990371
   wip-manual-document-mt-safety-search.patch: 75e6004e8dbc695b0cdc9b84249cf1b777fc30b5
   wip-manual-document-mt-safety-resource.patch: ce4ad52cc41d3ae34f10dc5fa29d2d4c2aa08a5c
   wip-manual-document-mt-safety-string.patch: 1b3406934ca4e3cb676972632387dd5862c26d57
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 93b8b21..f3bfdad 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 34850c3fae2002c32308b3353855e2de0a18b4d3
-Top:    9e26e65c6f5ad1ae860b4b03c429a90054cbb837
+Bottom: 6fc14fb146cab43af0e1bda549c1bb507464c42d
+Top:    bcdc447440fd97e86fb3c83635b1c5f6ef3011db
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=062ff84a7871423535c7c5f066d10e4090c7538b

commit 062ff84a7871423535c7c5f066d10e4090c7538b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5d4d522b68a597b9295d8fbabfbe708f3ee416dd

commit 5d4d522b68a597b9295d8fbabfbe708f3ee416dd
Merge: 9213fd5 4f8bd85 56b8728
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:30 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9213fd51ad214ae03727e1b1490eeec71ea0041d

commit 9213fd51ad214ae03727e1b1490eeec71ea0041d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:30 2013 -0300

    push

diff --git a/meta b/meta
index 4e4f771..fab563c 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: c80d4db9267cd250c557ac1708878125a456db56
-Head: a7e2ad1ab8005398467e21a1903513ad72c3bb99
+Previous: 4f8bd859aa8ea04e484c884568c95714b760a431
+Head: 56b87287256294aac20d87cc8fb9f6b7febbe014
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -21,8 +21,8 @@ Applied:
   manual-document-mt-safety-llio.patch: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
   manual-document-mt-safety-stdio.patch: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
   wip-manual-document-mt-safety-locale.patch: a7e2ad1ab8005398467e21a1903513ad72c3bb99
+  wip-manual-document-mt-safety-math.patch: 56b87287256294aac20d87cc8fb9f6b7febbe014
 Unapplied:
-  wip-manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
   wip-manual-document-mt-safety-startup.patch: 3e55489a3bf8f9a9f05d22c1ebbadd2c05990371
   wip-manual-document-mt-safety-search.patch: 75e6004e8dbc695b0cdc9b84249cf1b777fc30b5
   wip-manual-document-mt-safety-resource.patch: ce4ad52cc41d3ae34f10dc5fa29d2d4c2aa08a5c
diff --git a/patches/wip-manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
index 1477a1e..d65dda1 100644
--- a/patches/wip-manual-document-mt-safety-math.patch
+++ b/patches/wip-manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 9810f600dc88278307b0fb70f5a0bc3a128cac35
-Top:    34850c3fae2002c32308b3353855e2de0a18b4d3
+Bottom: 8b03cdaff12cf5536b0a91677ddb1a0ac1f9368e
+Top:    6fc14fb146cab43af0e1bda549c1bb507464c42d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=56b87287256294aac20d87cc8fb9f6b7febbe014

commit 56b87287256294aac20d87cc8fb9f6b7febbe014
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4f8bd859aa8ea04e484c884568c95714b760a431

commit 4f8bd859aa8ea04e484c884568c95714b760a431
Merge: 128da13 a7e2ad1 c80d4db
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:27 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=128da139d0c42cc18392024fdc8c2d0f449b51da

commit 128da139d0c42cc18392024fdc8c2d0f449b51da
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:27 2013 -0300

    refresh

diff --git a/meta b/meta
index af0bab7..4e4f771 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 9c71bbfa5861775c9dcbfd52a2b0dffd88fc7c5e
-Head: 35eee9e8d5320718c1c0a525b3cd0f7739f0d427
+Previous: c80d4db9267cd250c557ac1708878125a456db56
+Head: a7e2ad1ab8005398467e21a1903513ad72c3bb99
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -20,8 +20,7 @@ Applied:
   manual-document-mt-safety-lang.patch: b791ca7244516eba35200090ff65146015bbcf80
   manual-document-mt-safety-llio.patch: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
   manual-document-mt-safety-stdio.patch: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
-  wip-manual-document-mt-safety-locale.patch: 87435eab512846c7999ee8bf7469e274a83555fe
-  refresh-temp: 35eee9e8d5320718c1c0a525b3cd0f7739f0d427
+  wip-manual-document-mt-safety-locale.patch: a7e2ad1ab8005398467e21a1903513ad72c3bb99
 Unapplied:
   wip-manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
   wip-manual-document-mt-safety-startup.patch: 3e55489a3bf8f9a9f05d22c1ebbadd2c05990371
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 3fcd55a..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,22 +0,0 @@
-Bottom: 399ffe27a17cf7d3358a5588aa455450336867d1
-Top:    8b03cdaff12cf5536b0a91677ddb1a0ac1f9368e
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:38:27 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index da50d18..60e08d8 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -233,7 +233,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @c and free, and _nl_find_locale, which amount to all documented safety
- @c issues.  It also calls new_composite_name, setdata, and setname,
- @c without any additional issues.  _nl_find_locale calls getenv, ...
--This function returns a pointer read 
-+@c This function returns a pointer read...
- The function @code{setlocale} sets the current locale for category
- @var{category} to @var{locale}.  A list of all the locales the system
- provides can be created by running
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 3dfc7ca..2cf1838 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: 530229eff374ce006c4c7f955d1d897e0a4056c6
-Top:    399ffe27a17cf7d3358a5588aa455450336867d1
+Top:    8b03cdaff12cf5536b0a91677ddb1a0ac1f9368e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..da50d18 100644
+index 2f10fcd..60e08d8 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
 @@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
@@ -29,7 +29,7 @@ index 2f10fcd..da50d18 100644
 +@c and free, and _nl_find_locale, which amount to all documented safety
 +@c issues.  It also calls new_composite_name, setdata, and setname,
 +@c without any additional issues.  _nl_find_locale calls getenv, ...
-+This function returns a pointer read 
++@c This function returns a pointer read...
  The function @code{setlocale} sets the current locale for category
  @var{category} to @var{locale}.  A list of all the locales the system
  provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c80d4db9267cd250c557ac1708878125a456db56

commit c80d4db9267cd250c557ac1708878125a456db56
Merge: 472509b 9c71bbf 35eee9e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:27 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=472509b5e1ba162e218857ef22fa50f4232ddea6

commit 472509b5e1ba162e218857ef22fa50f4232ddea6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:27 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 83bfe92..af0bab7 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 117f96a014f403b989798de6173188a404217e23
-Head: 87435eab512846c7999ee8bf7469e274a83555fe
+Previous: 9c71bbfa5861775c9dcbfd52a2b0dffd88fc7c5e
+Head: 35eee9e8d5320718c1c0a525b3cd0f7739f0d427
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -21,6 +21,7 @@ Applied:
   manual-document-mt-safety-llio.patch: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
   manual-document-mt-safety-stdio.patch: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
   wip-manual-document-mt-safety-locale.patch: 87435eab512846c7999ee8bf7469e274a83555fe
+  refresh-temp: 35eee9e8d5320718c1c0a525b3cd0f7739f0d427
 Unapplied:
   wip-manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
   wip-manual-document-mt-safety-startup.patch: 3e55489a3bf8f9a9f05d22c1ebbadd2c05990371
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..3fcd55a
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,22 @@
+Bottom: 399ffe27a17cf7d3358a5588aa455450336867d1
+Top:    8b03cdaff12cf5536b0a91677ddb1a0ac1f9368e
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:38:27 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index da50d18..60e08d8 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -233,7 +233,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @c and free, and _nl_find_locale, which amount to all documented safety
+ @c issues.  It also calls new_composite_name, setdata, and setname,
+ @c without any additional issues.  _nl_find_locale calls getenv, ...
+-This function returns a pointer read 
++@c This function returns a pointer read...
+ The function @code{setlocale} sets the current locale for category
+ @var{category} to @var{locale}.  A list of all the locales the system
+ provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=35eee9e8d5320718c1c0a525b3cd0f7739f0d427

commit 35eee9e8d5320718c1c0a525b3cd0f7739f0d427
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:38:27 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index da50d18..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -233,7 +233,7 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @c and free, and _nl_find_locale, which amount to all documented safety
 @c issues.  It also calls new_composite_name, setdata, and setname,
 @c without any additional issues.  _nl_find_locale calls getenv, ...
-This function returns a pointer read 
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a7e2ad1ab8005398467e21a1903513ad72c3bb99

commit a7e2ad1ab8005398467e21a1903513ad72c3bb99
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..60e08d8 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+@c This function returns a pointer read...
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9c71bbfa5861775c9dcbfd52a2b0dffd88fc7c5e

commit 9c71bbfa5861775c9dcbfd52a2b0dffd88fc7c5e
Merge: 1a14ed1 117f96a 87435ea
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:26 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1a14ed12a61412dfdade038568d8f8765d31ff52

commit 1a14ed12a61412dfdade038568d8f8765d31ff52
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:26 2013 -0300

    push

diff --git a/meta b/meta
index f13d651..83bfe92 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 039b5e411cd67063f2e119af1c56e349f170f4cf
-Head: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
+Previous: 117f96a014f403b989798de6173188a404217e23
+Head: 87435eab512846c7999ee8bf7469e274a83555fe
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -20,8 +20,8 @@ Applied:
   manual-document-mt-safety-lang.patch: b791ca7244516eba35200090ff65146015bbcf80
   manual-document-mt-safety-llio.patch: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
   manual-document-mt-safety-stdio.patch: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
+  wip-manual-document-mt-safety-locale.patch: 87435eab512846c7999ee8bf7469e274a83555fe
 Unapplied:
-  wip-manual-document-mt-safety-locale.patch: 6c6c8ecacf987abc5dda5f02425179c9f9c5acde
   wip-manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
   wip-manual-document-mt-safety-startup.patch: 3e55489a3bf8f9a9f05d22c1ebbadd2c05990371
   wip-manual-document-mt-safety-search.patch: 75e6004e8dbc695b0cdc9b84249cf1b777fc30b5
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 3fe7a6a..3dfc7ca 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 1b3315652dde989dd535a1572985e5afdd6c5e99
-Top:    9810f600dc88278307b0fb70f5a0bc3a128cac35
+Bottom: 530229eff374ce006c4c7f955d1d897e0a4056c6
+Top:    399ffe27a17cf7d3358a5588aa455450336867d1
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=87435eab512846c7999ee8bf7469e274a83555fe

commit 87435eab512846c7999ee8bf7469e274a83555fe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=622b7f4fdcb3b1ade62c26693365f35a3a7a7031

commit 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=117f96a014f403b989798de6173188a404217e23

commit 117f96a014f403b989798de6173188a404217e23
Merge: 076cc66 039b5e4 622b7f4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:25 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=076cc66450c2311ca2f73682b21d6e88c1ca43ff

commit 076cc66450c2311ca2f73682b21d6e88c1ca43ff
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:25 2013 -0300

    push

diff --git a/meta b/meta
index 423a8d6..f13d651 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 01b4ed4821c8fd161995206963f729f154dba7b4
-Head: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
+Previous: 039b5e411cd67063f2e119af1c56e349f170f4cf
+Head: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -19,8 +19,8 @@ Applied:
   manual-document-mt-safety-job.patch: d2b8bf860b81e8e95130a2b397bd63d3ac29f6f5
   manual-document-mt-safety-lang.patch: b791ca7244516eba35200090ff65146015bbcf80
   manual-document-mt-safety-llio.patch: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
+  manual-document-mt-safety-stdio.patch: 622b7f4fdcb3b1ade62c26693365f35a3a7a7031
 Unapplied:
-  manual-document-mt-safety-stdio.patch: 0960f99a58ac496a2420e3d299e868f900662636
   wip-manual-document-mt-safety-locale.patch: 6c6c8ecacf987abc5dda5f02425179c9f9c5acde
   wip-manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
   wip-manual-document-mt-safety-startup.patch: 3e55489a3bf8f9a9f05d22c1ebbadd2c05990371
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 0de73f6..2534cf3 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
-Top:    1b3315652dde989dd535a1572985e5afdd6c5e99
+Bottom: 1c79556edf2fc8cdc5742a63361502af02f3a7f6
+Top:    530229eff374ce006c4c7f955d1d897e0a4056c6
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=accb81f4e2f55ac6c8c0a9d8762668829bca23f8

commit accb81f4e2f55ac6c8c0a9d8762668829bca23f8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=039b5e411cd67063f2e119af1c56e349f170f4cf

commit 039b5e411cd67063f2e119af1c56e349f170f4cf
Merge: bbc438e 01b4ed4 accb81f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:24 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bbc438e08509e5fa1cc8c37dcc736102867ce763

commit bbc438e08509e5fa1cc8c37dcc736102867ce763
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:24 2013 -0300

    push

diff --git a/meta b/meta
index d1a517e..423a8d6 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b698a1cb62c164162476e9ca5b2e8014b9e28a0f
-Head: b791ca7244516eba35200090ff65146015bbcf80
+Previous: 01b4ed4821c8fd161995206963f729f154dba7b4
+Head: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -18,8 +18,8 @@ Applied:
   manual-document-mt-safety-libdl.patch: 3a6ba503d2949acb7fd0d23fbdaaf056bb0a819f
   manual-document-mt-safety-job.patch: d2b8bf860b81e8e95130a2b397bd63d3ac29f6f5
   manual-document-mt-safety-lang.patch: b791ca7244516eba35200090ff65146015bbcf80
+  manual-document-mt-safety-llio.patch: accb81f4e2f55ac6c8c0a9d8762668829bca23f8
 Unapplied:
-  manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-stdio.patch: 0960f99a58ac496a2420e3d299e868f900662636
   wip-manual-document-mt-safety-locale.patch: 6c6c8ecacf987abc5dda5f02425179c9f9c5acde
   wip-manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 274aefd..ede6838 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 5d6bbf322290ec49c7df2274a5b3ec79d32fd303
-Top:    baf6738652c9240a7ea48273cff318ffb17716d8
+Bottom: e39567735e51df9a1cbd6f9b527ba0ebaebcbadb
+Top:    1c79556edf2fc8cdc5742a63361502af02f3a7f6
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b791ca7244516eba35200090ff65146015bbcf80

commit b791ca7244516eba35200090ff65146015bbcf80
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=01b4ed4821c8fd161995206963f729f154dba7b4

commit 01b4ed4821c8fd161995206963f729f154dba7b4
Merge: 24ee441 b698a1c b791ca7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:23 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=24ee4411419f64016737dbf89dcb1d75f6df6aab

commit 24ee4411419f64016737dbf89dcb1d75f6df6aab
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:23 2013 -0300

    push

diff --git a/meta b/meta
index e2c5c27..d1a517e 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: ea8c680babd2266f6826b2f043599f311baa1f9f
-Head: d2b8bf860b81e8e95130a2b397bd63d3ac29f6f5
+Previous: b698a1cb62c164162476e9ca5b2e8014b9e28a0f
+Head: b791ca7244516eba35200090ff65146015bbcf80
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -17,8 +17,8 @@ Applied:
   manual-document-mt-safety-getopt.patch: f543b69a645a445a7b7484e4e4729387deb00d58
   manual-document-mt-safety-libdl.patch: 3a6ba503d2949acb7fd0d23fbdaaf056bb0a819f
   manual-document-mt-safety-job.patch: d2b8bf860b81e8e95130a2b397bd63d3ac29f6f5
+  manual-document-mt-safety-lang.patch: b791ca7244516eba35200090ff65146015bbcf80
 Unapplied:
-  manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-stdio.patch: 0960f99a58ac496a2420e3d299e868f900662636
   wip-manual-document-mt-safety-locale.patch: 6c6c8ecacf987abc5dda5f02425179c9f9c5acde
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 09d2cc9..93ad7bd 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: b58e76e4078fdee40947d68820e0f861f8cac2de
-Top:    5d6bbf322290ec49c7df2274a5b3ec79d32fd303
+Bottom: c6b12eb06e14c9c5162f6f8386fb00a68dff09e7
+Top:    e39567735e51df9a1cbd6f9b527ba0ebaebcbadb
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b698a1cb62c164162476e9ca5b2e8014b9e28a0f

commit b698a1cb62c164162476e9ca5b2e8014b9e28a0f
Merge: 3f73f18 ea8c680 d2b8bf8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:23 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3f73f189c4043b265e67f000e7a70ec7ef5bbbcd

commit 3f73f189c4043b265e67f000e7a70ec7ef5bbbcd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:23 2013 -0300

    push

diff --git a/meta b/meta
index 41c97ed..e2c5c27 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: a93eed6f48d61323fe92247fc86da838ad4172f9
-Head: 3a6ba503d2949acb7fd0d23fbdaaf056bb0a819f
+Previous: ea8c680babd2266f6826b2f043599f311baa1f9f
+Head: d2b8bf860b81e8e95130a2b397bd63d3ac29f6f5
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -16,8 +16,8 @@ Applied:
   manual-document-mt-safety-filesys.patch: 88f6858a8c928050ef2686d392ea593e05cfc34a
   manual-document-mt-safety-getopt.patch: f543b69a645a445a7b7484e4e4729387deb00d58
   manual-document-mt-safety-libdl.patch: 3a6ba503d2949acb7fd0d23fbdaaf056bb0a819f
+  manual-document-mt-safety-job.patch: d2b8bf860b81e8e95130a2b397bd63d3ac29f6f5
 Unapplied:
-  manual-document-mt-safety-job.patch: 57c129a7691ad66436b380272a24d356111b19bf
   manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-stdio.patch: 0960f99a58ac496a2420e3d299e868f900662636
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index e6f679b..ce62710 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: 08a4456877254843d89c18fe88e4c0431857fcff
-Top:    b58e76e4078fdee40947d68820e0f861f8cac2de
+Bottom: 2b93df95492ad4d1ceb8aa1d1cf8582c93b425b0
+Top:    c6b12eb06e14c9c5162f6f8386fb00a68dff09e7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d2b8bf860b81e8e95130a2b397bd63d3ac29f6f5

commit d2b8bf860b81e8e95130a2b397bd63d3ac29f6f5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ea8c680babd2266f6826b2f043599f311baa1f9f

commit ea8c680babd2266f6826b2f043599f311baa1f9f
Merge: d3e4303 a93eed6 3a6ba50
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:22 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d3e430304b131011cea3a95b6a7e9946f6689af2

commit d3e430304b131011cea3a95b6a7e9946f6689af2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:22 2013 -0300

    push

diff --git a/meta b/meta
index f5933c3..41c97ed 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b9765d52b038b1fdbfcfc48eee9147c715bac3ba
-Head: f543b69a645a445a7b7484e4e4729387deb00d58
+Previous: a93eed6f48d61323fe92247fc86da838ad4172f9
+Head: 3a6ba503d2949acb7fd0d23fbdaaf056bb0a819f
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -15,8 +15,8 @@ Applied:
   manual-document-mt-safety-errno.patch: c809e22eb30fc43d15192d36963a8e19f7d65b0c
   manual-document-mt-safety-filesys.patch: 88f6858a8c928050ef2686d392ea593e05cfc34a
   manual-document-mt-safety-getopt.patch: f543b69a645a445a7b7484e4e4729387deb00d58
+  manual-document-mt-safety-libdl.patch: 3a6ba503d2949acb7fd0d23fbdaaf056bb0a819f
 Unapplied:
-  manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
   manual-document-mt-safety-job.patch: 57c129a7691ad66436b380272a24d356111b19bf
   manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index abfb497..96f67fc 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: 18760d732995b8379bc372377398a8fd58732762
-Top:    08a4456877254843d89c18fe88e4c0431857fcff
+Bottom: 7673305db24e0b03187acb8928ddfeca18980793
+Top:    2b93df95492ad4d1ceb8aa1d1cf8582c93b425b0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3a6ba503d2949acb7fd0d23fbdaaf056bb0a819f

commit 3a6ba503d2949acb7fd0d23fbdaaf056bb0a819f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a93eed6f48d61323fe92247fc86da838ad4172f9

commit a93eed6f48d61323fe92247fc86da838ad4172f9
Merge: 7ea26a0 b9765d5 f543b69
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:21 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7ea26a00bfd4dc3967722d3e5d10e247de9515af

commit 7ea26a00bfd4dc3967722d3e5d10e247de9515af
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:21 2013 -0300

    push

diff --git a/meta b/meta
index f3dc0e0..f5933c3 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: f65d41328fcfd4d4becadcb876f6f728780a5534
-Head: 88f6858a8c928050ef2686d392ea593e05cfc34a
+Previous: b9765d52b038b1fdbfcfc48eee9147c715bac3ba
+Head: f543b69a645a445a7b7484e4e4729387deb00d58
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -14,8 +14,8 @@ Applied:
   manual-document-mt-safety-debug.patch: 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
   manual-document-mt-safety-errno.patch: c809e22eb30fc43d15192d36963a8e19f7d65b0c
   manual-document-mt-safety-filesys.patch: 88f6858a8c928050ef2686d392ea593e05cfc34a
+  manual-document-mt-safety-getopt.patch: f543b69a645a445a7b7484e4e4729387deb00d58
 Unapplied:
-  manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
   manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
   manual-document-mt-safety-job.patch: 57c129a7691ad66436b380272a24d356111b19bf
   manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index 753c8f5..54c020d 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: c0467ea68e04c4b52c9c771dad681e1220291a6a
-Top:    18760d732995b8379bc372377398a8fd58732762
+Bottom: e32560bf251105655d134b5c41a9b8fdd9801d15
+Top:    7673305db24e0b03187acb8928ddfeca18980793
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:36 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f543b69a645a445a7b7484e4e4729387deb00d58

commit f543b69a645a445a7b7484e4e4729387deb00d58
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:36 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b9765d52b038b1fdbfcfc48eee9147c715bac3ba

commit b9765d52b038b1fdbfcfc48eee9147c715bac3ba
Merge: 8ed2f07 88f6858 f65d413
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:19 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8ed2f0753e68f562d692c76b5e108bd61a9aca28

commit 8ed2f0753e68f562d692c76b5e108bd61a9aca28
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:19 2013 -0300

    refresh

diff --git a/meta b/meta
index 7d6904c..f3dc0e0 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 46b56b66a87e1cb898bb251259eda2d285f81f55
-Head: fe69b4d1428162d2b3d8a819a66b192ef427a329
+Previous: f65d41328fcfd4d4becadcb876f6f728780a5534
+Head: 88f6858a8c928050ef2686d392ea593e05cfc34a
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -13,8 +13,7 @@ Applied:
   manual-document-mt-safety-ctype.patch: c67c0318158e4a31db772c98b8828e54db56693e
   manual-document-mt-safety-debug.patch: 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
   manual-document-mt-safety-errno.patch: c809e22eb30fc43d15192d36963a8e19f7d65b0c
-  manual-document-mt-safety-filesys.patch: a9226edaf034632058b974acb03d3440eac70053
-  refresh-temp: fe69b4d1428162d2b3d8a819a66b192ef427a329
+  manual-document-mt-safety-filesys.patch: 88f6858a8c928050ef2686d392ea593e05cfc34a
 Unapplied:
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
   manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index a287465..5ffc492 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
 Bottom: 94d2ef49874113afaf68e43004adb8da972729b9
-Top:    ef75c87ba4586a879f503ee1b10a162b33a420e3
+Top:    e32560bf251105655d134b5c41a9b8fdd9801d15
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:03 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 1df9cf2..2244025 100644
+index 1df9cf2..47176cc 100644
 --- a/manual/filesys.texi
 +++ b/manual/filesys.texi
 @@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
@@ -292,7 +292,7 @@ index 1df9cf2..2244025 100644
 +@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
 +@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
 +@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
-+@c  find_object (tsearch) and add_object (tfind).  
++@c  find_object (tsearch) and add_object (tfind).
 +@c Since each invocation of *ftw uses its own private search tree, none
 +@c  of the search tree concurrency issues apply.
  The @code{nftw} function works like the @code{ftw} functions.  They call
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 2506c0f..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,22 +0,0 @@
-Bottom: ef75c87ba4586a879f503ee1b10a162b33a420e3
-Top:    e32560bf251105655d134b5c41a9b8fdd9801d15
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:37:18 -0300
-
-Refresh of manual-document-mt-safety-filesys.patch
-
----
-
-diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 2244025..47176cc 100644
---- a/manual/filesys.texi
-+++ b/manual/filesys.texi
-@@ -1034,7 +1034,7 @@ transparently replaces the old implementation.
- @c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
- @c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
- @c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
--@c  find_object (tsearch) and add_object (tfind).  
-+@c  find_object (tsearch) and add_object (tfind).
- @c Since each invocation of *ftw uses its own private search tree, none
- @c  of the search tree concurrency issues apply.
- The @code{nftw} function works like the @code{ftw} functions.  They call

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f65d41328fcfd4d4becadcb876f6f728780a5534

commit f65d41328fcfd4d4becadcb876f6f728780a5534
Merge: 16abc2e 46b56b6 fe69b4d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:18 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=16abc2e0ab1669be38ba2031daf5dd42ed208eef

commit 16abc2e0ab1669be38ba2031daf5dd42ed208eef
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:18 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 8a44063..7d6904c 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: ad0739404f1903efd7a41c839a8ac8c637046c1d
-Head: a9226edaf034632058b974acb03d3440eac70053
+Previous: 46b56b66a87e1cb898bb251259eda2d285f81f55
+Head: fe69b4d1428162d2b3d8a819a66b192ef427a329
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -14,6 +14,7 @@ Applied:
   manual-document-mt-safety-debug.patch: 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
   manual-document-mt-safety-errno.patch: c809e22eb30fc43d15192d36963a8e19f7d65b0c
   manual-document-mt-safety-filesys.patch: a9226edaf034632058b974acb03d3440eac70053
+  refresh-temp: fe69b4d1428162d2b3d8a819a66b192ef427a329
 Unapplied:
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
   manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..2506c0f
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,22 @@
+Bottom: ef75c87ba4586a879f503ee1b10a162b33a420e3
+Top:    e32560bf251105655d134b5c41a9b8fdd9801d15
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:37:18 -0300
+
+Refresh of manual-document-mt-safety-filesys.patch
+
+---
+
+diff --git a/manual/filesys.texi b/manual/filesys.texi
+index 2244025..47176cc 100644
+--- a/manual/filesys.texi
++++ b/manual/filesys.texi
+@@ -1034,7 +1034,7 @@ transparently replaces the old implementation.
+ @c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+ @c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+ @c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+-@c  find_object (tsearch) and add_object (tfind).  
++@c  find_object (tsearch) and add_object (tfind).
+ @c Since each invocation of *ftw uses its own private search tree, none
+ @c  of the search tree concurrency issues apply.
+ The @code{nftw} function works like the @code{ftw} functions.  They call

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fe69b4d1428162d2b3d8a819a66b192ef427a329

commit fe69b4d1428162d2b3d8a819a66b192ef427a329
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:18 2013 -0300

    Refresh of manual-document-mt-safety-filesys.patch

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 2244025..47176cc 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -1034,7 +1034,7 @@ transparently replaces the old implementation.
 @c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
 @c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
 @c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
-@c  find_object (tsearch) and add_object (tfind).  
+@c  find_object (tsearch) and add_object (tfind).
 @c Since each invocation of *ftw uses its own private search tree, none
 @c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=88f6858a8c928050ef2686d392ea593e05cfc34a

commit 88f6858a8c928050ef2686d392ea593e05cfc34a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..47176cc 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=46b56b66a87e1cb898bb251259eda2d285f81f55

commit 46b56b66a87e1cb898bb251259eda2d285f81f55
Merge: c1491db ad07394 a9226ed
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:05 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c1491db817b576709534590538bcfed908ba8636

commit c1491db817b576709534590538bcfed908ba8636
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:05 2013 -0300

    push

diff --git a/meta b/meta
index 203e67f..8a44063 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7b17963914895e7c6e841738568c70e6b1dad418
-Head: c809e22eb30fc43d15192d36963a8e19f7d65b0c
+Previous: ad0739404f1903efd7a41c839a8ac8c637046c1d
+Head: a9226edaf034632058b974acb03d3440eac70053
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -13,8 +13,8 @@ Applied:
   manual-document-mt-safety-ctype.patch: c67c0318158e4a31db772c98b8828e54db56693e
   manual-document-mt-safety-debug.patch: 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
   manual-document-mt-safety-errno.patch: c809e22eb30fc43d15192d36963a8e19f7d65b0c
+  manual-document-mt-safety-filesys.patch: a9226edaf034632058b974acb03d3440eac70053
 Unapplied:
-  manual-document-mt-safety-filesys.patch: 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
   manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
   manual-document-mt-safety-job.patch: 57c129a7691ad66436b380272a24d356111b19bf
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 7b4e146..a287465 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
-Bottom: 50fd6f363b9af88ae1e05db55cefcd1e41c10123
-Top:    c0467ea68e04c4b52c9c771dad681e1220291a6a
+Bottom: 94d2ef49874113afaf68e43004adb8da972729b9
+Top:    ef75c87ba4586a879f503ee1b10a162b33a420e3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:03 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a9226edaf034632058b974acb03d3440eac70053

commit a9226edaf034632058b974acb03d3440eac70053
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..2244025 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).  
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c809e22eb30fc43d15192d36963a8e19f7d65b0c

commit c809e22eb30fc43d15192d36963a8e19f7d65b0c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ad0739404f1903efd7a41c839a8ac8c637046c1d

commit ad0739404f1903efd7a41c839a8ac8c637046c1d
Merge: cf53de7 7b17963 c809e22
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:04 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cf53de7d61a899ee849e2b4185f768a916184a35

commit cf53de7d61a899ee849e2b4185f768a916184a35
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:04 2013 -0300

    push

diff --git a/meta b/meta
index 0095f76..203e67f 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: ff4b802a46c6ed82436bd4d9652222c18aa88b51
-Head: 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
+Previous: 7b17963914895e7c6e841738568c70e6b1dad418
+Head: c809e22eb30fc43d15192d36963a8e19f7d65b0c
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -12,8 +12,8 @@ Applied:
   manual-document-mt-safety-crypt.patch: 93bce6450adbd4597a1a0d96bca4162b367a61c4
   manual-document-mt-safety-ctype.patch: c67c0318158e4a31db772c98b8828e54db56693e
   manual-document-mt-safety-debug.patch: 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
+  manual-document-mt-safety-errno.patch: c809e22eb30fc43d15192d36963a8e19f7d65b0c
 Unapplied:
-  manual-document-mt-safety-errno.patch: 4c83ae2974e8153950355eca983b33e13bad7490
   manual-document-mt-safety-filesys.patch: 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
   manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index 7b30386..67a101a 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,5 +1,5 @@
-Bottom: 5add8b2d9a79567d15e402219a50ddf6704cdcea
-Top:    50fd6f363b9af88ae1e05db55cefcd1e41c10123
+Bottom: 548606bab4bd38fa36c7264f1e06dbd818e0a4d4
+Top:    94d2ef49874113afaf68e43004adb8da972729b9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:34 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=61349e0a2ebc1b1cb265b25c74ae39b2d5b85636

commit 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:11 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7b17963914895e7c6e841738568c70e6b1dad418

commit 7b17963914895e7c6e841738568c70e6b1dad418
Merge: 43a440e ff4b802 61349e0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:03 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=43a440e0d0fbf025378ed9aad5eed3d269781dbf

commit 43a440e0d0fbf025378ed9aad5eed3d269781dbf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:03 2013 -0300

    push

diff --git a/meta b/meta
index bea7600..0095f76 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 90a7b8873b45a59d4ab0a1247cdaaae5d4ce9466
-Head: c67c0318158e4a31db772c98b8828e54db56693e
+Previous: ff4b802a46c6ed82436bd4d9652222c18aa88b51
+Head: 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -11,8 +11,8 @@ Applied:
   manual-document-mt-safety-conf.patch: b2f06012824f907fd1cb35844c2e7a054ddf81f9
   manual-document-mt-safety-crypt.patch: 93bce6450adbd4597a1a0d96bca4162b367a61c4
   manual-document-mt-safety-ctype.patch: c67c0318158e4a31db772c98b8828e54db56693e
+  manual-document-mt-safety-debug.patch: 61349e0a2ebc1b1cb265b25c74ae39b2d5b85636
 Unapplied:
-  manual-document-mt-safety-debug.patch: 90470ebb84408d72de8a13806b2e84801fbcc026
   manual-document-mt-safety-errno.patch: 4c83ae2974e8153950355eca983b33e13bad7490
   manual-document-mt-safety-filesys.patch: 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index 2063a20..9b0749d 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,5 +1,5 @@
-Bottom: 1fe3a56b7e61d235687df61e4d4bded8e7283992
-Top:    5add8b2d9a79567d15e402219a50ddf6704cdcea
+Bottom: 3de021265ff25f1386d7a7c20b91b2a25d84120f
+Top:    548606bab4bd38fa36c7264f1e06dbd818e0a4d4
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:11 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c67c0318158e4a31db772c98b8828e54db56693e

commit c67c0318158e4a31db772c98b8828e54db56693e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ff4b802a46c6ed82436bd4d9652222c18aa88b51

commit ff4b802a46c6ed82436bd4d9652222c18aa88b51
Merge: 6558fa6 90a7b88 c67c031
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:02 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6558fa65ae0022b261220c9136727dd174b01b3b

commit 6558fa65ae0022b261220c9136727dd174b01b3b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:02 2013 -0300

    push

diff --git a/meta b/meta
index f3d91e6..bea7600 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 99a32f1e3010e8bbad037c1418ff9010c6bccbf2
-Head: 93bce6450adbd4597a1a0d96bca4162b367a61c4
+Previous: 90a7b8873b45a59d4ab0a1247cdaaae5d4ce9466
+Head: c67c0318158e4a31db772c98b8828e54db56693e
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -10,8 +10,8 @@ Applied:
   manual-document-mt-safety-charset.patch: 9e121d9ec8c4633d64cc9744360fbeca9f156bf0
   manual-document-mt-safety-conf.patch: b2f06012824f907fd1cb35844c2e7a054ddf81f9
   manual-document-mt-safety-crypt.patch: 93bce6450adbd4597a1a0d96bca4162b367a61c4
+  manual-document-mt-safety-ctype.patch: c67c0318158e4a31db772c98b8828e54db56693e
 Unapplied:
-  manual-document-mt-safety-ctype.patch: 776df644b03f53de0e1d21d4b6e8df0fb287117e
   manual-document-mt-safety-debug.patch: 90470ebb84408d72de8a13806b2e84801fbcc026
   manual-document-mt-safety-errno.patch: 4c83ae2974e8153950355eca983b33e13bad7490
   manual-document-mt-safety-filesys.patch: 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index 8700f8e..c5de015 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: 25551ef91682bea014db1b2031e4dad60a4ba129
-Top:    1fe3a56b7e61d235687df61e4d4bded8e7283992
+Bottom: f7704f5b20f5c9943d0105fa39bc7bb7ffcbb869
+Top:    3de021265ff25f1386d7a7c20b91b2a25d84120f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=93bce6450adbd4597a1a0d96bca4162b367a61c4

commit 93bce6450adbd4597a1a0d96bca4162b367a61c4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=90a7b8873b45a59d4ab0a1247cdaaae5d4ce9466

commit 90a7b8873b45a59d4ab0a1247cdaaae5d4ce9466
Merge: acd3a9a 99a32f1 93bce64
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:01 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=acd3a9a9fb2d00946518163380b31f4abbf04c0c

commit acd3a9a9fb2d00946518163380b31f4abbf04c0c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:01 2013 -0300

    push

diff --git a/meta b/meta
index ac5bceb..f3d91e6 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 9eac7aed6d7204866334765380c9f4dcf4d27712
-Head: b2f06012824f907fd1cb35844c2e7a054ddf81f9
+Previous: 99a32f1e3010e8bbad037c1418ff9010c6bccbf2
+Head: 93bce6450adbd4597a1a0d96bca4162b367a61c4
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -9,8 +9,8 @@ Applied:
   manual-document-mt-safety-arith.patch: 838c715e0d3f4c3674975edd26315e143cca1455
   manual-document-mt-safety-charset.patch: 9e121d9ec8c4633d64cc9744360fbeca9f156bf0
   manual-document-mt-safety-conf.patch: b2f06012824f907fd1cb35844c2e7a054ddf81f9
+  manual-document-mt-safety-crypt.patch: 93bce6450adbd4597a1a0d96bca4162b367a61c4
 Unapplied:
-  manual-document-mt-safety-crypt.patch: 06242cab8769046e2c3e9670de0b0e664f9624ef
   manual-document-mt-safety-ctype.patch: 776df644b03f53de0e1d21d4b6e8df0fb287117e
   manual-document-mt-safety-debug.patch: 90470ebb84408d72de8a13806b2e84801fbcc026
   manual-document-mt-safety-errno.patch: 4c83ae2974e8153950355eca983b33e13bad7490
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index 20411b6..b799073 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,5 +1,5 @@
-Bottom: 621eb53ac8713123406be43ebd474132b7c6e4de
-Top:    25551ef91682bea014db1b2031e4dad60a4ba129
+Bottom: 45cccd4a47645a41bfaa6a90e93cd3906e8edfa6
+Top:    f7704f5b20f5c9943d0105fa39bc7bb7ffcbb869
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:47 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b2f06012824f907fd1cb35844c2e7a054ddf81f9

commit b2f06012824f907fd1cb35844c2e7a054ddf81f9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:16 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=99a32f1e3010e8bbad037c1418ff9010c6bccbf2

commit 99a32f1e3010e8bbad037c1418ff9010c6bccbf2
Merge: b500f7d 9eac7ae b2f0601
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:00 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b500f7d93c0b4972c9ca8f81dc50fb6baa575be7

commit b500f7d93c0b4972c9ca8f81dc50fb6baa575be7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:37:00 2013 -0300

    push

diff --git a/meta b/meta
index 5ba29aa..ac5bceb 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 349313a3dd747639c0add943ebcbfa40edc7b949
-Head: 9e121d9ec8c4633d64cc9744360fbeca9f156bf0
+Previous: 9eac7aed6d7204866334765380c9f4dcf4d27712
+Head: b2f06012824f907fd1cb35844c2e7a054ddf81f9
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
@@ -8,8 +8,8 @@ Applied:
   manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de
   manual-document-mt-safety-arith.patch: 838c715e0d3f4c3674975edd26315e143cca1455
   manual-document-mt-safety-charset.patch: 9e121d9ec8c4633d64cc9744360fbeca9f156bf0
+  manual-document-mt-safety-conf.patch: b2f06012824f907fd1cb35844c2e7a054ddf81f9
 Unapplied:
-  manual-document-mt-safety-conf.patch: ada59d4ba350be38e3b5d960053eac19f0c22bf1
   manual-document-mt-safety-crypt.patch: 06242cab8769046e2c3e9670de0b0e664f9624ef
   manual-document-mt-safety-ctype.patch: 776df644b03f53de0e1d21d4b6e8df0fb287117e
   manual-document-mt-safety-debug.patch: 90470ebb84408d72de8a13806b2e84801fbcc026
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index 0db760e..ad74927 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,5 +1,5 @@
-Bottom: 0ed3cc03efad5a94ba0a48cd696ec823658ac35b
-Top:    621eb53ac8713123406be43ebd474132b7c6e4de
+Bottom: 635dade8c2d466563bdeba84575ccfd57214e37e
+Top:    45cccd4a47645a41bfaa6a90e93cd3906e8edfa6
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:16 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9e121d9ec8c4633d64cc9744360fbeca9f156bf0

commit 9e121d9ec8c4633d64cc9744360fbeca9f156bf0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9eac7aed6d7204866334765380c9f4dcf4d27712

commit 9eac7aed6d7204866334765380c9f4dcf4d27712
Merge: e0dcb1a 349313a 9e121d9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:59 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e0dcb1ab9cc1f8e1eb49fd1046cdbd0bf19ab1d1

commit e0dcb1ab9cc1f8e1eb49fd1046cdbd0bf19ab1d1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:59 2013 -0300

    push

diff --git a/meta b/meta
index 0d54dab..5ba29aa 100644
--- a/meta
+++ b/meta
@@ -1,14 +1,14 @@
 Version: 1
-Previous: 5db9fbe9041fbed617eb79c77493ef6f1625e290
-Head: 838c715e0d3f4c3674975edd26315e143cca1455
+Previous: 349313a3dd747639c0add943ebcbfa40edc7b949
+Head: 9e121d9ec8c4633d64cc9744360fbeca9f156bf0
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
   manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de
   manual-document-mt-safety-arith.patch: 838c715e0d3f4c3674975edd26315e143cca1455
+  manual-document-mt-safety-charset.patch: 9e121d9ec8c4633d64cc9744360fbeca9f156bf0
 Unapplied:
-  manual-document-mt-safety-charset.patch: 32e6dfea09eccf189affbee43bff67b4989ada90
   manual-document-mt-safety-conf.patch: ada59d4ba350be38e3b5d960053eac19f0c22bf1
   manual-document-mt-safety-crypt.patch: 06242cab8769046e2c3e9670de0b0e664f9624ef
   manual-document-mt-safety-ctype.patch: 776df644b03f53de0e1d21d4b6e8df0fb287117e
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index 6935950..45a1643 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,5 +1,5 @@
-Bottom: 802ed278ee78a71e6694780a51b4b82573651127
-Top:    8630788acc532aafc6569e76eaf6a0ce2bd4583e
+Bottom: 20fd58920c13f96b1451eda75458a9c942d2094e
+Top:    635dade8c2d466563bdeba84575ccfd57214e37e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:01:33 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=349313a3dd747639c0add943ebcbfa40edc7b949

commit 349313a3dd747639c0add943ebcbfa40edc7b949
Merge: eca6f0b 838c715 5db9fbe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:34 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=eca6f0b9acfe5fc1ad8e178cc3ae02385b761874

commit eca6f0b9acfe5fc1ad8e178cc3ae02385b761874
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:34 2013 -0300

    refresh

diff --git a/meta b/meta
index f71e2d2..0d54dab 100644
--- a/meta
+++ b/meta
@@ -1,13 +1,12 @@
 Version: 1
-Previous: 2d0bbd85e67e716b0c9f09a1ab44ff77d6616803
-Head: 831663a122760bc287ae8012fad51497619b234e
+Previous: 5db9fbe9041fbed617eb79c77493ef6f1625e290
+Head: 838c715e0d3f4c3674975edd26315e143cca1455
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
   manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de
-  manual-document-mt-safety-arith.patch: a751af8cdebb9eae59c0c48ce3d4b79d692b3026
-  refresh-temp: 831663a122760bc287ae8012fad51497619b234e
+  manual-document-mt-safety-arith.patch: 838c715e0d3f4c3674975edd26315e143cca1455
 Unapplied:
   manual-document-mt-safety-charset.patch: 32e6dfea09eccf189affbee43bff67b4989ada90
   manual-document-mt-safety-conf.patch: ada59d4ba350be38e3b5d960053eac19f0c22bf1
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index b23a7d8..9eca6bc 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
 Bottom: 3b3317dffdd8fb0b673f39fa8b5d3c6443f8fc0b
-Top:    802ed278ee78a71e6694780a51b4b82573651127
+Top:    20fd58920c13f96b1451eda75458a9c942d2094e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/arith.texi b/manual/arith.texi
-index 77056c3..5c3aa9d 100644
+index 77056c3..c0cd350 100644
 --- a/manual/arith.texi
 +++ b/manual/arith.texi
 @@ -160,6 +160,8 @@ The remainder from the division.
@@ -826,7 +826,7 @@ index 77056c3..5c3aa9d 100644
  @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
 +@safety{@mtsafe{}@assafe{}@acsafe{}}
 +@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
-+@c args_value if it's too large, but gcvt never exercises this path.  
++@c args_value if it's too large, but gcvt never exercises this path.
  @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
  ndigit, value}.  It is provided only for compatibility's sake.  It
  returns @var{buf}.
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 0b98566..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,22 +0,0 @@
-Bottom: 802ed278ee78a71e6694780a51b4b82573651127
-Top:    20fd58920c13f96b1451eda75458a9c942d2094e
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:36:33 -0300
-
-Refresh of manual-document-mt-safety-arith.patch
-
----
-
-diff --git a/manual/arith.texi b/manual/arith.texi
-index 5c3aa9d..c0cd350 100644
---- a/manual/arith.texi
-+++ b/manual/arith.texi
-@@ -2666,7 +2666,7 @@ to @code{fcvt}.
- @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
- @safety{@mtsafe{}@assafe{}@acsafe{}}
- @c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
--@c args_value if it's too large, but gcvt never exercises this path.  
-+@c args_value if it's too large, but gcvt never exercises this path.
- @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
- ndigit, value}.  It is provided only for compatibility's sake.  It
- returns @var{buf}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5db9fbe9041fbed617eb79c77493ef6f1625e290

commit 5db9fbe9041fbed617eb79c77493ef6f1625e290
Merge: 8e47328 2d0bbd8 831663a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:33 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8e4732834ba216f49979c7e122c6231a2deb8fcc

commit 8e4732834ba216f49979c7e122c6231a2deb8fcc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:33 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index dc8bfd3..f71e2d2 100644
--- a/meta
+++ b/meta
@@ -1,12 +1,13 @@
 Version: 1
-Previous: d6234b156e44d866fb19cd4513e613642ffa7346
-Head: a751af8cdebb9eae59c0c48ce3d4b79d692b3026
+Previous: 2d0bbd85e67e716b0c9f09a1ab44ff77d6616803
+Head: 831663a122760bc287ae8012fad51497619b234e
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
   manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de
   manual-document-mt-safety-arith.patch: a751af8cdebb9eae59c0c48ce3d4b79d692b3026
+  refresh-temp: 831663a122760bc287ae8012fad51497619b234e
 Unapplied:
   manual-document-mt-safety-charset.patch: 32e6dfea09eccf189affbee43bff67b4989ada90
   manual-document-mt-safety-conf.patch: ada59d4ba350be38e3b5d960053eac19f0c22bf1
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..0b98566
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,22 @@
+Bottom: 802ed278ee78a71e6694780a51b4b82573651127
+Top:    20fd58920c13f96b1451eda75458a9c942d2094e
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:36:33 -0300
+
+Refresh of manual-document-mt-safety-arith.patch
+
+---
+
+diff --git a/manual/arith.texi b/manual/arith.texi
+index 5c3aa9d..c0cd350 100644
+--- a/manual/arith.texi
++++ b/manual/arith.texi
+@@ -2666,7 +2666,7 @@ to @code{fcvt}.
+ @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+ @safety{@mtsafe{}@assafe{}@acsafe{}}
+ @c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+-@c args_value if it's too large, but gcvt never exercises this path.  
++@c args_value if it's too large, but gcvt never exercises this path.
+ @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
+ ndigit, value}.  It is provided only for compatibility's sake.  It
+ returns @var{buf}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=831663a122760bc287ae8012fad51497619b234e

commit 831663a122760bc287ae8012fad51497619b234e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:33 2013 -0300

    Refresh of manual-document-mt-safety-arith.patch

diff --git a/manual/arith.texi b/manual/arith.texi
index 5c3aa9d..c0cd350 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -2666,7 +2666,7 @@ to @code{fcvt}.
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
 @safety{@mtsafe{}@assafe{}@acsafe{}}
 @c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
-@c args_value if it's too large, but gcvt never exercises this path.  
+@c args_value if it's too large, but gcvt never exercises this path.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2d0bbd85e67e716b0c9f09a1ab44ff77d6616803

commit 2d0bbd85e67e716b0c9f09a1ab44ff77d6616803
Merge: a27b834 d6234b1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:18 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a27b8346429ac4f2e2146550fdcf07ce8af508e2

commit a27b8346429ac4f2e2146550fdcf07ce8af508e2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:18 2013 -0300

    pop

diff --git a/meta b/meta
index b913e04..dc8bfd3 100644
--- a/meta
+++ b/meta
@@ -1,14 +1,14 @@
 Version: 1
-Previous: b8d90ae0c166b84615d28e15bd49b148198e775d
-Head: 32e6dfea09eccf189affbee43bff67b4989ada90
+Previous: d6234b156e44d866fb19cd4513e613642ffa7346
+Head: a751af8cdebb9eae59c0c48ce3d4b79d692b3026
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
   manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de
   manual-document-mt-safety-arith.patch: a751af8cdebb9eae59c0c48ce3d4b79d692b3026
-  manual-document-mt-safety-charset.patch: 32e6dfea09eccf189affbee43bff67b4989ada90
 Unapplied:
+  manual-document-mt-safety-charset.patch: 32e6dfea09eccf189affbee43bff67b4989ada90
   manual-document-mt-safety-conf.patch: ada59d4ba350be38e3b5d960053eac19f0c22bf1
   manual-document-mt-safety-crypt.patch: 06242cab8769046e2c3e9670de0b0e664f9624ef
   manual-document-mt-safety-ctype.patch: 776df644b03f53de0e1d21d4b6e8df0fb287117e

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d6234b156e44d866fb19cd4513e613642ffa7346

commit d6234b156e44d866fb19cd4513e613642ffa7346
Merge: 075391f b8d90ae 32e6dfe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:10 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=075391fa607ad0bd3fcd3ec58620a879d06b96c0

commit 075391fa607ad0bd3fcd3ec58620a879d06b96c0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:36:10 2013 -0300

    push

diff --git a/meta b/meta
index 92bad98..b913e04 100644
--- a/meta
+++ b/meta
@@ -1,14 +1,14 @@
 Version: 1
-Previous: 68df847c7cd75361a07d4b7603ff1c35408a0863
-Head: a751af8cdebb9eae59c0c48ce3d4b79d692b3026
+Previous: b8d90ae0c166b84615d28e15bd49b148198e775d
+Head: 32e6dfea09eccf189affbee43bff67b4989ada90
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
   manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de
   manual-document-mt-safety-arith.patch: a751af8cdebb9eae59c0c48ce3d4b79d692b3026
+  manual-document-mt-safety-charset.patch: 32e6dfea09eccf189affbee43bff67b4989ada90
 Unapplied:
-  manual-document-mt-safety-charset.patch: 2ba73f56d3ec95471df9cefd6db9935ec8bdc4ef
   manual-document-mt-safety-conf.patch: ada59d4ba350be38e3b5d960053eac19f0c22bf1
   manual-document-mt-safety-crypt.patch: 06242cab8769046e2c3e9670de0b0e664f9624ef
   manual-document-mt-safety-ctype.patch: 776df644b03f53de0e1d21d4b6e8df0fb287117e
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index c4d22ae..6935950 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,5 +1,5 @@
-Bottom: 260809414e54f35864ab54b52fdbff3517f05f2e
-Top:    0ed3cc03efad5a94ba0a48cd696ec823658ac35b
+Bottom: 802ed278ee78a71e6694780a51b4b82573651127
+Top:    8630788acc532aafc6569e76eaf6a0ce2bd4583e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:01:33 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=32e6dfea09eccf189affbee43bff67b4989ada90

commit 32e6dfea09eccf189affbee43bff67b4989ada90
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=838c715e0d3f4c3674975edd26315e143cca1455

commit 838c715e0d3f4c3674975edd26315e143cca1455
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..c0cd350 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a751af8cdebb9eae59c0c48ce3d4b79d692b3026

commit a751af8cdebb9eae59c0c48ce3d4b79d692b3026
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.  
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b8d90ae0c166b84615d28e15bd49b148198e775d

commit b8d90ae0c166b84615d28e15bd49b148198e775d
Merge: c0ac9fb 68df847 a751af8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:55 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c0ac9fb6fa72b5e0bdc0efed5c601d389c5f38d4

commit c0ac9fb6fa72b5e0bdc0efed5c601d389c5f38d4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:55 2013 -0300

    push

diff --git a/meta b/meta
index 4948513..92bad98 100644
--- a/meta
+++ b/meta
@@ -1,13 +1,13 @@
 Version: 1
-Previous: 4777c890ea3feef7118158898c52d558e960eb56
-Head: 3d307972daeb49e5b5bed74887140e9d5bcb58de
+Previous: 68df847c7cd75361a07d4b7603ff1c35408a0863
+Head: a751af8cdebb9eae59c0c48ce3d4b79d692b3026
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
   manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de
+  manual-document-mt-safety-arith.patch: a751af8cdebb9eae59c0c48ce3d4b79d692b3026
 Unapplied:
-  manual-document-mt-safety-arith.patch: f4268118ff7169b7016697e2344525b93dd6be01
   manual-document-mt-safety-charset.patch: 2ba73f56d3ec95471df9cefd6db9935ec8bdc4ef
   manual-document-mt-safety-conf.patch: ada59d4ba350be38e3b5d960053eac19f0c22bf1
   manual-document-mt-safety-crypt.patch: 06242cab8769046e2c3e9670de0b0e664f9624ef
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 49b1456..b23a7d8 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
-Bottom: 206cd625e1e8e8dc3e141cdd29c90772cf35e923
-Top:    260809414e54f35864ab54b52fdbff3517f05f2e
+Bottom: 3b3317dffdd8fb0b673f39fa8b5d3c6443f8fc0b
+Top:    802ed278ee78a71e6694780a51b4b82573651127
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=68df847c7cd75361a07d4b7603ff1c35408a0863

commit 68df847c7cd75361a07d4b7603ff1c35408a0863
Merge: 76c1cae 3d30797 4777c89
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:47 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=76c1caed2a8eadde4ca1116e2a7ce75c566c67cd

commit 76c1caed2a8eadde4ca1116e2a7ce75c566c67cd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:47 2013 -0300

    refresh

diff --git a/meta b/meta
index 4734cac..4948513 100644
--- a/meta
+++ b/meta
@@ -1,12 +1,11 @@
 Version: 1
-Previous: deb22b5c421ce209fd4213dffe23b9ba6f03fd80
-Head: 9895792647585fff29af719a760be76b9bf6f1ca
+Previous: 4777c890ea3feef7118158898c52d558e960eb56
+Head: 3d307972daeb49e5b5bed74887140e9d5bcb58de
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
-  manual-document-mt-safety-argp.patch: a1791992633c9fa1862a3073f1396b1b2984430f
-  refresh-temp: 9895792647585fff29af719a760be76b9bf6f1ca
+  manual-document-mt-safety-argp.patch: 3d307972daeb49e5b5bed74887140e9d5bcb58de
 Unapplied:
   manual-document-mt-safety-arith.patch: f4268118ff7169b7016697e2344525b93dd6be01
   manual-document-mt-safety-charset.patch: 2ba73f56d3ec95471df9cefd6db9935ec8bdc4ef
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 87d4389..0357d25 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,5 +1,5 @@
 Bottom: 342d93cedbc3899d97eb6abb3179c639ca189041
-Top:    b0125a9bbb94b5659c715bf142ffbfd4f81ce170
+Top:    3b3317dffdd8fb0b673f39fa8b5d3c6443f8fc0b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 21:57:08 -0300
 
@@ -13,7 +13,7 @@ for ChangeLog
 ---
 
 diff --git a/manual/argp.texi b/manual/argp.texi
-index c9fbe97..5322f91 100644
+index c9fbe97..22e7b9e 100644
 --- a/manual/argp.texi
 +++ b/manual/argp.texi
 @@ -36,6 +36,35 @@ needed in @code{main}.
@@ -235,7 +235,7 @@ index c9fbe97..5322f91 100644
  @comment GNU
  @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
 +@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
-+@c Just calls _help.  
++@c Just calls _help.
  This outputs a help message for the argp parser @var{argp} to
  @var{stream}.  The type of messages printed will be determined by
  @var{flags}.
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 2905a68..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,22 +0,0 @@
-Bottom: b0125a9bbb94b5659c715bf142ffbfd4f81ce170
-Top:    3b3317dffdd8fb0b673f39fa8b5d3c6443f8fc0b
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:35:47 -0300
-
-Refresh of manual-document-mt-safety-argp.patch
-
----
-
-diff --git a/manual/argp.texi b/manual/argp.texi
-index 5322f91..22e7b9e 100644
---- a/manual/argp.texi
-+++ b/manual/argp.texi
-@@ -1108,7 +1108,7 @@ program options, argp offers the @code{argp_help} interface.
- @comment GNU
- @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
- @safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
--@c Just calls _help.  
-+@c Just calls _help.
- This outputs a help message for the argp parser @var{argp} to
- @var{stream}.  The type of messages printed will be determined by
- @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4777c890ea3feef7118158898c52d558e960eb56

commit 4777c890ea3feef7118158898c52d558e960eb56
Merge: bb1b10c deb22b5 9895792
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:47 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bb1b10cfcd667f08e3f535b221540a4da4a9eb06

commit bb1b10cfcd667f08e3f535b221540a4da4a9eb06
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:47 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 618ca46..4734cac 100644
--- a/meta
+++ b/meta
@@ -1,11 +1,12 @@
 Version: 1
-Previous: 122aa56ad2927c13e7dff9bbd7eb1dca3dfb7b95
-Head: a1791992633c9fa1862a3073f1396b1b2984430f
+Previous: deb22b5c421ce209fd4213dffe23b9ba6f03fd80
+Head: 9895792647585fff29af719a760be76b9bf6f1ca
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
   manual-document-mt-safety-argp.patch: a1791992633c9fa1862a3073f1396b1b2984430f
+  refresh-temp: 9895792647585fff29af719a760be76b9bf6f1ca
 Unapplied:
   manual-document-mt-safety-arith.patch: f4268118ff7169b7016697e2344525b93dd6be01
   manual-document-mt-safety-charset.patch: 2ba73f56d3ec95471df9cefd6db9935ec8bdc4ef
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..2905a68
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,22 @@
+Bottom: b0125a9bbb94b5659c715bf142ffbfd4f81ce170
+Top:    3b3317dffdd8fb0b673f39fa8b5d3c6443f8fc0b
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:35:47 -0300
+
+Refresh of manual-document-mt-safety-argp.patch
+
+---
+
+diff --git a/manual/argp.texi b/manual/argp.texi
+index 5322f91..22e7b9e 100644
+--- a/manual/argp.texi
++++ b/manual/argp.texi
+@@ -1108,7 +1108,7 @@ program options, argp offers the @code{argp_help} interface.
+ @comment GNU
+ @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+ @safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+-@c Just calls _help.  
++@c Just calls _help.
+ This outputs a help message for the argp parser @var{argp} to
+ @var{stream}.  The type of messages printed will be determined by
+ @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9895792647585fff29af719a760be76b9bf6f1ca

commit 9895792647585fff29af719a760be76b9bf6f1ca
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:47 2013 -0300

    Refresh of manual-document-mt-safety-argp.patch

diff --git a/manual/argp.texi b/manual/argp.texi
index 5322f91..22e7b9e 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -1108,7 +1108,7 @@ program options, argp offers the @code{argp_help} interface.
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
 @safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
-@c Just calls _help.  
+@c Just calls _help.
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3d307972daeb49e5b5bed74887140e9d5bcb58de

commit 3d307972daeb49e5b5bed74887140e9d5bcb58de
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..22e7b9e 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=deb22b5c421ce209fd4213dffe23b9ba6f03fd80

commit deb22b5c421ce209fd4213dffe23b9ba6f03fd80
Merge: 8200372 122aa56 a179199
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:25 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8200372a98931eb89aff47b2169097a5b241213c

commit 8200372a98931eb89aff47b2169097a5b241213c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:25 2013 -0300

    push

diff --git a/meta b/meta
index aad55e1..618ca46 100644
--- a/meta
+++ b/meta
@@ -1,12 +1,12 @@
 Version: 1
-Previous: 449608a0e1f9f7031456901831cf276d4a3ce2a8
-Head: 3be99ad69c588de34f357cdfc3e293046eb30b58
+Previous: 122aa56ad2927c13e7dff9bbd7eb1dca3dfb7b95
+Head: a1791992633c9fa1862a3073f1396b1b2984430f
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
   unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
+  manual-document-mt-safety-argp.patch: a1791992633c9fa1862a3073f1396b1b2984430f
 Unapplied:
-  manual-document-mt-safety-argp.patch: 5604d817c0a7feccf5aa0dfa7cb2d583d86ec65f
   manual-document-mt-safety-arith.patch: f4268118ff7169b7016697e2344525b93dd6be01
   manual-document-mt-safety-charset.patch: 2ba73f56d3ec95471df9cefd6db9935ec8bdc4ef
   manual-document-mt-safety-conf.patch: ada59d4ba350be38e3b5d960053eac19f0c22bf1
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 914e844..87d4389 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,5 +1,5 @@
-Bottom: 6ef173fc60a9c842433354081fa0216e4430c1b8
-Top:    206cd625e1e8e8dc3e141cdd29c90772cf35e923
+Bottom: 342d93cedbc3899d97eb6abb3179c639ca189041
+Top:    b0125a9bbb94b5659c715bf142ffbfd4f81ce170
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 21:57:08 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a1791992633c9fa1862a3073f1396b1b2984430f

commit a1791992633c9fa1862a3073f1396b1b2984430f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3be99ad69c588de34f357cdfc3e293046eb30b58

commit 3be99ad69c588de34f357cdfc3e293046eb30b58
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=122aa56ad2927c13e7dff9bbd7eb1dca3dfb7b95

commit 122aa56ad2927c13e7dff9bbd7eb1dca3dfb7b95
Merge: e9ca6ad 3be99ad 449608a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:22 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e9ca6ada5272e6d8019d75aa14d6dd366664bc7e

commit e9ca6ada5272e6d8019d75aa14d6dd366664bc7e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:22 2013 -0300

    push

diff --git a/meta b/meta
index 9c77b8c..aad55e1 100644
--- a/meta
+++ b/meta
@@ -1,11 +1,11 @@
 Version: 1
-Previous: 42cee9342d540a15dbfa24ac93b6c76eccfd1d84
-Head: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
+Previous: 449608a0e1f9f7031456901831cf276d4a3ce2a8
+Head: 3be99ad69c588de34f357cdfc3e293046eb30b58
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
   powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
+  unused-scalb-is-scalbn.patch: 3be99ad69c588de34f357cdfc3e293046eb30b58
 Unapplied:
-  unused-scalb-is-scalbn.patch: b290d7167651106f65de65171d52b70c6188329a
   manual-document-mt-safety-argp.patch: 5604d817c0a7feccf5aa0dfa7cb2d583d86ec65f
   manual-document-mt-safety-arith.patch: f4268118ff7169b7016697e2344525b93dd6be01
   manual-document-mt-safety-charset.patch: 2ba73f56d3ec95471df9cefd6db9935ec8bdc4ef
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 0fa4208..9b24c12 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,5 +1,5 @@
-Bottom: a8bc26b023f2d43016f043a1972e12edc1f31f8d
-Top:    6ef173fc60a9c842433354081fa0216e4430c1b8
+Bottom: 315c23de417a6094ebe3c8259abcf7f190d93198
+Top:    342d93cedbc3899d97eb6abb3179c639ca189041
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=449608a0e1f9f7031456901831cf276d4a3ce2a8

commit 449608a0e1f9f7031456901831cf276d4a3ce2a8
Merge: b15ced9 42cee93 3071086
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:19 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b15ced979aeb1902b1bf2b385b09c9b14e268b0a

commit b15ced979aeb1902b1bf2b385b09c9b14e268b0a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:19 2013 -0300

    push

diff --git a/meta b/meta
index 0b616e0..9c77b8c 100644
--- a/meta
+++ b/meta
@@ -1,10 +1,10 @@
 Version: 1
-Previous: 338717da7600a142fbc4fc1ecf9c32877a34d3ac
-Head: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
+Previous: 42cee9342d540a15dbfa24ac93b6c76eccfd1d84
+Head: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
 Applied:
   manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
+  powerpc-nofpu-sim-note-nothread.patch: 30710868f55ce7574b12ed319bf2a1c3dc0a3744
 Unapplied:
-  powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
   unused-scalb-is-scalbn.patch: b290d7167651106f65de65171d52b70c6188329a
   manual-document-mt-safety-argp.patch: 5604d817c0a7feccf5aa0dfa7cb2d583d86ec65f
   manual-document-mt-safety-arith.patch: f4268118ff7169b7016697e2344525b93dd6be01
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index 7f2c050..c413ed2 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,5 +1,5 @@
-Bottom: c59759fbdfb422ada848ebdd3845677059986449
-Top:    a8bc26b023f2d43016f043a1972e12edc1f31f8d
+Bottom: 465695c41ceed4d41aaebf0e135b8f1123912988
+Top:    315c23de417a6094ebe3c8259abcf7f190d93198
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=30710868f55ce7574b12ed319bf2a1c3dc0a3744

commit 30710868f55ce7574b12ed319bf2a1c3dc0a3744
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
index fc061d0..e167033 100644
--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
@@ -21,6 +21,11 @@
 #include "soft-fp.h"
 #include "soft-supp.h"
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 /* Global to store sticky exceptions.  */
 int __sim_exceptions __attribute__ ((nocommon));
 libc_hidden_data_def (__sim_exceptions);
diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
index b9638bb..64a3d2a 100644
--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
@@ -26,6 +26,11 @@ typedef union
 } fenv_union_t;
 
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;
diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
index c2a190e..508d869 100644
--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
@@ -54,6 +54,11 @@
 #define FP_ROUNDMODE          __sim_round_mode
 #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=42cee9342d540a15dbfa24ac93b6c76eccfd1d84

commit 42cee9342d540a15dbfa24ac93b6c76eccfd1d84
Merge: dcb29f3 338717d 2bd5708
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:08 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dcb29f3c9f41f40763018ac5dc1c679450627f8a

commit dcb29f3c9f41f40763018ac5dc1c679450627f8a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:08 2013 -0300

    refresh

diff --git a/meta b/meta
index 3c9d198..0b616e0 100644
--- a/meta
+++ b/meta
@@ -1,9 +1,8 @@
 Version: 1
-Previous: cfbf181420a12a4809c4e059a4ae7cac3012f978
-Head: fcaa52d9d38062d5371a9b3fda4bf3a7c6bd69ed
+Previous: 338717da7600a142fbc4fc1ecf9c32877a34d3ac
+Head: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
 Applied:
-  manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
-  refresh-temp: fcaa52d9d38062d5371a9b3fda4bf3a7c6bd69ed
+  manual-document-mt-safety.patch: 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
 Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
   unused-scalb-is-scalbn.patch: b290d7167651106f65de65171d52b70c6188329a
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index e164c49..94acf09 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,5 +1,5 @@
 Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
-Top:    c59759fbdfb422ada848ebdd3845677059986449
+Top:    465695c41ceed4d41aaebf0e135b8f1123912988
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
@@ -15,7 +15,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/intro.texi b/manual/intro.texi
-index deaf089..e47832c 100644
+index deaf089..07f27c9 100644
 --- a/manual/intro.texi
 +++ b/manual/intro.texi
 @@ -172,6 +172,411 @@ pattern matching facilities (@pxref{Pattern Matching}).
@@ -32,12 +32,12 @@ index deaf089..e47832c 100644
 +
 +@itemize @bullet
 +
-+@item 
++@item
 +@cindex MT-Safe
 +MT-Safe functions are safe to call in the presence of other threads.  MT
 +stands for Multi Thread.
 +
-+@item 
++@item
 +@cindex AS-Safe
 +AS-Safe functions are safe to call from asynchronous signal handlers.
 +AS stands for Asynchronous Signal.
@@ -47,7 +47,7 @@ index deaf089..e47832c 100644
 +AC-Safe functions are safe to call when asynchronous cancellation is
 +enabled.  AC stands for Asynchronous Cancellation.
 +
-+@item 
++@item
 +@cindex MT-Unsafe
 +@cindex AS-Unsafe
 +@cindex AC-Unsafe
@@ -213,7 +213,7 @@ index deaf089..e47832c 100644
 +
 +Functions annotated with @code{staticbuf} use internal static buffers or
 +variables in ways that may cause concurrent calls to interfere
-+destructively.  
++destructively.
 +
 +These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
 +offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
@@ -239,7 +239,7 @@ index deaf089..e47832c 100644
 +additional code modules.  This involves opening files, mapping them into
 +memory, allocating additional memory, resolving symbols, applying
 +relocations and more, all of this while holding the dynamic loader
-+lock.  
++lock.
 +
 +The non-recursive lock itself is enough for the function to be AS- and
 +AC-Unsafe, but many other issues may arise.
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 37b1c5c..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,55 +0,0 @@
-Bottom: c59759fbdfb422ada848ebdd3845677059986449
-Top:    465695c41ceed4d41aaebf0e135b8f1123912988
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:35:08 -0300
-
-Refresh of manual-document-mt-safety.patch
-
----
-
-diff --git a/manual/intro.texi b/manual/intro.texi
-index e47832c..07f27c9 100644
---- a/manual/intro.texi
-+++ b/manual/intro.texi
-@@ -182,12 +182,12 @@ the meaning of the standard definitions, follow:
- 
- @itemize @bullet
- 
--@item 
-+@item
- @cindex MT-Safe
- MT-Safe functions are safe to call in the presence of other threads.  MT
- stands for Multi Thread.
- 
--@item 
-+@item
- @cindex AS-Safe
- AS-Safe functions are safe to call from asynchronous signal handlers.
- AS stands for Asynchronous Signal.
-@@ -197,7 +197,7 @@ AS stands for Asynchronous Signal.
- AC-Safe functions are safe to call when asynchronous cancellation is
- enabled.  AC stands for Asynchronous Cancellation.
- 
--@item 
-+@item
- @cindex MT-Unsafe
- @cindex AS-Unsafe
- @cindex AC-Unsafe
-@@ -363,7 +363,7 @@ as follows:
- 
- Functions annotated with @code{staticbuf} use internal static buffers or
- variables in ways that may cause concurrent calls to interfere
--destructively.  
-+destructively.
- 
- These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
- offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
-@@ -389,7 +389,7 @@ Functions marked with @code{shlimb} use the dynamic loader to bring in
- additional code modules.  This involves opening files, mapping them into
- memory, allocating additional memory, resolving symbols, applying
- relocations and more, all of this while holding the dynamic loader
--lock.  
-+lock.
- 
- The non-recursive lock itself is enough for the function to be AS- and
- AC-Unsafe, but many other issues may arise.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=338717da7600a142fbc4fc1ecf9c32877a34d3ac

commit 338717da7600a142fbc4fc1ecf9c32877a34d3ac
Merge: b5e4ccb fcaa52d cfbf181
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:08 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b5e4ccb12e1b6fc89981c5eea2f4cf2576c08398

commit b5e4ccb12e1b6fc89981c5eea2f4cf2576c08398
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:08 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index a2afb75..3c9d198 100644
--- a/meta
+++ b/meta
@@ -1,8 +1,9 @@
 Version: 1
-Previous: bc9621873d14d54de91b1fb4da7b489041c57335
-Head: b636b87be9756886bb0f9f1396c31b42d3f83c23
+Previous: cfbf181420a12a4809c4e059a4ae7cac3012f978
+Head: fcaa52d9d38062d5371a9b3fda4bf3a7c6bd69ed
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
+  refresh-temp: fcaa52d9d38062d5371a9b3fda4bf3a7c6bd69ed
 Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
   unused-scalb-is-scalbn.patch: b290d7167651106f65de65171d52b70c6188329a
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..37b1c5c
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,55 @@
+Bottom: c59759fbdfb422ada848ebdd3845677059986449
+Top:    465695c41ceed4d41aaebf0e135b8f1123912988
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:35:08 -0300
+
+Refresh of manual-document-mt-safety.patch
+
+---
+
+diff --git a/manual/intro.texi b/manual/intro.texi
+index e47832c..07f27c9 100644
+--- a/manual/intro.texi
++++ b/manual/intro.texi
+@@ -182,12 +182,12 @@ the meaning of the standard definitions, follow:
+ 
+ @itemize @bullet
+ 
+-@item 
++@item
+ @cindex MT-Safe
+ MT-Safe functions are safe to call in the presence of other threads.  MT
+ stands for Multi Thread.
+ 
+-@item 
++@item
+ @cindex AS-Safe
+ AS-Safe functions are safe to call from asynchronous signal handlers.
+ AS stands for Asynchronous Signal.
+@@ -197,7 +197,7 @@ AS stands for Asynchronous Signal.
+ AC-Safe functions are safe to call when asynchronous cancellation is
+ enabled.  AC stands for Asynchronous Cancellation.
+ 
+-@item 
++@item
+ @cindex MT-Unsafe
+ @cindex AS-Unsafe
+ @cindex AC-Unsafe
+@@ -363,7 +363,7 @@ as follows:
+ 
+ Functions annotated with @code{staticbuf} use internal static buffers or
+ variables in ways that may cause concurrent calls to interfere
+-destructively.  
++destructively.
+ 
+ These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+ offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+@@ -389,7 +389,7 @@ Functions marked with @code{shlimb} use the dynamic loader to bring in
+ additional code modules.  This involves opening files, mapping them into
+ memory, allocating additional memory, resolving symbols, applying
+ relocations and more, all of this while holding the dynamic loader
+-lock.  
++lock.
+ 
+ The non-recursive lock itself is enough for the function to be AS- and
+ AC-Unsafe, but many other issues may arise.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fcaa52d9d38062d5371a9b3fda4bf3a7c6bd69ed

commit fcaa52d9d38062d5371a9b3fda4bf3a7c6bd69ed
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:35:08 2013 -0300

    Refresh of manual-document-mt-safety.patch

diff --git a/manual/intro.texi b/manual/intro.texi
index e47832c..07f27c9 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -182,12 +182,12 @@ the meaning of the standard definitions, follow:
 
 @itemize @bullet
 
-@item 
+@item
 @cindex MT-Safe
 MT-Safe functions are safe to call in the presence of other threads.  MT
 stands for Multi Thread.
 
-@item 
+@item
 @cindex AS-Safe
 AS-Safe functions are safe to call from asynchronous signal handlers.
 AS stands for Asynchronous Signal.
@@ -197,7 +197,7 @@ AS stands for Asynchronous Signal.
 AC-Safe functions are safe to call when asynchronous cancellation is
 enabled.  AC stands for Asynchronous Cancellation.
 
-@item 
+@item
 @cindex MT-Unsafe
 @cindex AS-Unsafe
 @cindex AC-Unsafe
@@ -363,7 +363,7 @@ as follows:
 
 Functions annotated with @code{staticbuf} use internal static buffers or
 variables in ways that may cause concurrent calls to interfere
-destructively.  
+destructively.
 
 These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
 offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
@@ -389,7 +389,7 @@ Functions marked with @code{shlimb} use the dynamic loader to bring in
 additional code modules.  This involves opening files, mapping them into
 memory, allocating additional memory, resolving symbols, applying
 relocations and more, all of this while holding the dynamic loader
-lock.  
+lock.
 
 The non-recursive lock itself is enough for the function to be AS- and
 AC-Unsafe, but many other issues may arise.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cfbf181420a12a4809c4e059a4ae7cac3012f978

commit cfbf181420a12a4809c4e059a4ae7cac3012f978
Merge: cb872d4 bc96218
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:33:32 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cb872d43ea9e4d2cc182c9b248116adafa152b6a

commit cb872d43ea9e4d2cc182c9b248116adafa152b6a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:33:32 2013 -0300

    push

diff --git a/meta b/meta
index bfdfa92..a2afb75 100644
--- a/meta
+++ b/meta
@@ -1,9 +1,9 @@
 Version: 1
-Previous: ffd5c5bfb94cde6cb1bb960cd9b0039fbc7e4165
-Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
+Previous: bc9621873d14d54de91b1fb4da7b489041c57335
+Head: b636b87be9756886bb0f9f1396c31b42d3f83c23
 Applied:
-Unapplied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
+Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
   unused-scalb-is-scalbn.patch: b290d7167651106f65de65171d52b70c6188329a
   manual-document-mt-safety-argp.patch: 5604d817c0a7feccf5aa0dfa7cb2d583d86ec65f

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bc9621873d14d54de91b1fb4da7b489041c57335

commit bc9621873d14d54de91b1fb4da7b489041c57335
Merge: 24e7ff0 ffd5c5b ca0a6bc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:33:30 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=24e7ff019d0c2120d281b8ec57e55e38dfa9a60a

commit 24e7ff019d0c2120d281b8ec57e55e38dfa9a60a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:33:30 2013 -0300

    pop

diff --git a/meta b/meta
index 642b7a7..bfdfa92 100644
--- a/meta
+++ b/meta
@@ -1,7 +1,8 @@
 Version: 1
-Previous: 9b6d80ee7ab6e6fe72cc7cb62e9ab40b08d98fcf
-Head: 4022accc5d1f9f2ae322f8f76488286c694acd7b
+Previous: ffd5c5bfb94cde6cb1bb960cd9b0039fbc7e4165
+Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
 Applied:
+Unapplied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
   unused-scalb-is-scalbn.patch: b290d7167651106f65de65171d52b70c6188329a
@@ -29,5 +30,4 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: a9f83c82c1746276acceb4928131d8099c0caf6a
   wip-manual-document-mt-safety-threads.patch: 49c5533ec879c99f89ad9a1ba58929a9739a1254
   wip-manual-document-mt-safety-time.patch: 4022accc5d1f9f2ae322f8f76488286c694acd7b
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ffd5c5bfb94cde6cb1bb960cd9b0039fbc7e4165

commit ffd5c5bfb94cde6cb1bb960cd9b0039fbc7e4165
Merge: 848b85d 9b6d80e 4022acc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:23:06 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=848b85dd2c140ba354d73a36200aab26074a10ea

commit 848b85dd2c140ba354d73a36200aab26074a10ea
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:23:06 2013 -0300

    push

diff --git a/meta b/meta
index f20b1f6..642b7a7 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: c3a3e2ed03530068c256413199aaf65a2c9a23c6
-Head: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
+Previous: 9b6d80ee7ab6e6fe72cc7cb62e9ab40b08d98fcf
+Head: 4022accc5d1f9f2ae322f8f76488286c694acd7b
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -22,12 +22,12 @@ Applied:
   manual-document-mt-safety-stdio.patch: 0960f99a58ac496a2420e3d299e868f900662636
   wip-manual-document-mt-safety-locale.patch: 6c6c8ecacf987abc5dda5f02425179c9f9c5acde
   wip-manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
+  wip-manual-document-mt-safety-startup.patch: 3e55489a3bf8f9a9f05d22c1ebbadd2c05990371
+  wip-manual-document-mt-safety-search.patch: 75e6004e8dbc695b0cdc9b84249cf1b777fc30b5
+  wip-manual-document-mt-safety-resource.patch: ce4ad52cc41d3ae34f10dc5fa29d2d4c2aa08a5c
+  wip-manual-document-mt-safety-string.patch: 1b3406934ca4e3cb676972632387dd5862c26d57
+  wip-manual-document-mt-safety-terminal.patch: a9f83c82c1746276acceb4928131d8099c0caf6a
+  wip-manual-document-mt-safety-threads.patch: 49c5533ec879c99f89ad9a1ba58929a9739a1254
+  wip-manual-document-mt-safety-time.patch: 4022accc5d1f9f2ae322f8f76488286c694acd7b
 Unapplied:
-  wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
-  wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
-  wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
-  wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
-  wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
-  wip-manual-document-mt-safety-threads.patch: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
-  wip-manual-document-mt-safety-time.patch: 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4022accc5d1f9f2ae322f8f76488286c694acd7b

commit 4022accc5d1f9f2ae322f8f76488286c694acd7b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=49c5533ec879c99f89ad9a1ba58929a9739a1254

commit 49c5533ec879c99f89ad9a1ba58929a9739a1254
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:35 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a9f83c82c1746276acceb4928131d8099c0caf6a

commit a9f83c82c1746276acceb4928131d8099c0caf6a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1b3406934ca4e3cb676972632387dd5862c26d57

commit 1b3406934ca4e3cb676972632387dd5862c26d57
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ce4ad52cc41d3ae34f10dc5fa29d2d4c2aa08a5c

commit ce4ad52cc41d3ae34f10dc5fa29d2d4c2aa08a5c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=75e6004e8dbc695b0cdc9b84249cf1b777fc30b5

commit 75e6004e8dbc695b0cdc9b84249cf1b777fc30b5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3e55489a3bf8f9a9f05d22c1ebbadd2c05990371

commit 3e55489a3bf8f9a9f05d22c1ebbadd2c05990371
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9b6d80ee7ab6e6fe72cc7cb62e9ab40b08d98fcf

commit 9b6d80ee7ab6e6fe72cc7cb62e9ab40b08d98fcf
Merge: ec08fe3 c3a3e2e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:42 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ec08fe3bd130f00b154a916a391ede6d32edd3a7

commit ec08fe3bd130f00b154a916a391ede6d32edd3a7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:42 2013 -0300

    rename

diff --git a/meta b/meta
index b577858..f20b1f6 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: a6fbeb9aedbee6149c8ff623ea1afc5696e04ef2
+Previous: c3a3e2ed03530068c256413199aaf65a2c9a23c6
 Head: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
@@ -21,7 +21,7 @@ Applied:
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-stdio.patch: 0960f99a58ac496a2420e3d299e868f900662636
   wip-manual-document-mt-safety-locale.patch: 6c6c8ecacf987abc5dda5f02425179c9f9c5acde
-  manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
+  wip-manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
 Unapplied:
   wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/wip-manual-document-mt-safety-math.patch
similarity index 100%
rename from patches/manual-document-mt-safety-math.patch
rename to patches/wip-manual-document-mt-safety-math.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fa6fb5b03c11257d3a3c8dc6b02338662de3178f

commit fa6fb5b03c11257d3a3c8dc6b02338662de3178f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c3a3e2ed03530068c256413199aaf65a2c9a23c6

commit c3a3e2ed03530068c256413199aaf65a2c9a23c6
Merge: e1566bf fa6fb5b a6fbeb9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:38 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e1566bf9fb88486cbfedc67bf73c3d975cd7572f

commit e1566bf9fb88486cbfedc67bf73c3d975cd7572f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:38 2013 -0300

    float

diff --git a/meta b/meta
index 074b28d..b577858 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: f0a7a15dfe10c4138b45924e98f82ac9f68d4ae1
-Head: d28c617b0914a75671912795729911dbc6fe09e5
+Previous: a6fbeb9aedbee6149c8ff623ea1afc5696e04ef2
+Head: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -19,9 +19,9 @@ Applied:
   manual-document-mt-safety-job.patch: 57c129a7691ad66436b380272a24d356111b19bf
   manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
-  manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
-  manual-document-mt-safety-stdio.patch: e6e54eca8a8e68975917469f5af2de9f0f13343f
-  wip-manual-document-mt-safety-locale.patch: d28c617b0914a75671912795729911dbc6fe09e5
+  manual-document-mt-safety-stdio.patch: 0960f99a58ac496a2420e3d299e868f900662636
+  wip-manual-document-mt-safety-locale.patch: 6c6c8ecacf987abc5dda5f02425179c9f9c5acde
+  manual-document-mt-safety-math.patch: fa6fb5b03c11257d3a3c8dc6b02338662de3178f
 Unapplied:
   wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index 9f1572f..1477a1e 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
-Top:    fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
+Bottom: 9810f600dc88278307b0fb70f5a0bc3a128cac35
+Top:    34850c3fae2002c32308b3353855e2de0a18b4d3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 3071496..0de73f6 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
-Top:    cc461998b2abb06c1eee7461c38382b121f21408
+Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
+Top:    1b3315652dde989dd535a1572985e5afdd6c5e99
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 6b37e58..3fe7a6a 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: cc461998b2abb06c1eee7461c38382b121f21408
-Top:    34850c3fae2002c32308b3353855e2de0a18b4d3
+Bottom: 1b3315652dde989dd535a1572985e5afdd6c5e99
+Top:    9810f600dc88278307b0fb70f5a0bc3a128cac35
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6c6c8ecacf987abc5dda5f02425179c9f9c5acde

commit 6c6c8ecacf987abc5dda5f02425179c9f9c5acde
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0960f99a58ac496a2420e3d299e868f900662636

commit 0960f99a58ac496a2420e3d299e868f900662636
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a6fbeb9aedbee6149c8ff623ea1afc5696e04ef2

commit a6fbeb9aedbee6149c8ff623ea1afc5696e04ef2
Merge: c9c8e70 d28c617 f0a7a15
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:33 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c9c8e702649d83e74e760275b8a9eed11a6a54cf

commit c9c8e702649d83e74e760275b8a9eed11a6a54cf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:33 2013 -0300

    push

diff --git a/meta b/meta
index 8e68578..074b28d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 336fe16b7fe866758508510e2c02a9f9d1e19dae
-Head: e6e54eca8a8e68975917469f5af2de9f0f13343f
+Previous: f0a7a15dfe10c4138b45924e98f82ac9f68d4ae1
+Head: d28c617b0914a75671912795729911dbc6fe09e5
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -21,8 +21,8 @@ Applied:
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
   manual-document-mt-safety-stdio.patch: e6e54eca8a8e68975917469f5af2de9f0f13343f
+  wip-manual-document-mt-safety-locale.patch: d28c617b0914a75671912795729911dbc6fe09e5
 Unapplied:
-  wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
   wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index c0945af..6b37e58 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
-Top:    d5ba9adc90be6728f409ed99bc36a2fc6e659db0
+Bottom: cc461998b2abb06c1eee7461c38382b121f21408
+Top:    34850c3fae2002c32308b3353855e2de0a18b4d3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d28c617b0914a75671912795729911dbc6fe09e5

commit d28c617b0914a75671912795729911dbc6fe09e5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f0a7a15dfe10c4138b45924e98f82ac9f68d4ae1

commit f0a7a15dfe10c4138b45924e98f82ac9f68d4ae1
Merge: b8f3387 e6e54ec 336fe16
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:28 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b8f33879ea992d8d06e0d8e8242c3acf47cdea61

commit b8f33879ea992d8d06e0d8e8242c3acf47cdea61
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:28 2013 -0300

    float

diff --git a/meta b/meta
index ed0d165..8e68578 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: baca28272f714749e2522fd703c767c52d786e4f
-Head: ad614ca21bb3d439075824533620448aaca7dca6
+Previous: 336fe16b7fe866758508510e2c02a9f9d1e19dae
+Head: e6e54eca8a8e68975917469f5af2de9f0f13343f
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -20,9 +20,9 @@ Applied:
   manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
+  manual-document-mt-safety-stdio.patch: e6e54eca8a8e68975917469f5af2de9f0f13343f
 Unapplied:
   wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
-  manual-document-mt-safety-stdio.patch: a42a02e1e7c652cc7780640ba20259c587532248
   wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 439216f..3071496 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: d5ba9adc90be6728f409ed99bc36a2fc6e659db0
-Top:    34850c3fae2002c32308b3353855e2de0a18b4d3
+Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
+Top:    cc461998b2abb06c1eee7461c38382b121f21408
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e6e54eca8a8e68975917469f5af2de9f0f13343f

commit e6e54eca8a8e68975917469f5af2de9f0f13343f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=336fe16b7fe866758508510e2c02a9f9d1e19dae

commit 336fe16b7fe866758508510e2c02a9f9d1e19dae
Merge: dc451ff baca282
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:26 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dc451ffdd2937ede520866ea1567b289871e09c8

commit dc451ffdd2937ede520866ea1567b289871e09c8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:26 2013 -0300

    pop

diff --git a/meta b/meta
index 78272d0..ed0d165 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 47e0d3e47e78f161bcff74b05585031fca958b31
-Head: a42a02e1e7c652cc7780640ba20259c587532248
+Previous: baca28272f714749e2522fd703c767c52d786e4f
+Head: ad614ca21bb3d439075824533620448aaca7dca6
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -20,9 +20,9 @@ Applied:
   manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
+Unapplied:
   wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
   manual-document-mt-safety-stdio.patch: a42a02e1e7c652cc7780640ba20259c587532248
-Unapplied:
   wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=baca28272f714749e2522fd703c767c52d786e4f

commit baca28272f714749e2522fd703c767c52d786e4f
Merge: b6ed960 47e0d3e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:21 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b6ed9609907f099e7f09892662510850976bde97

commit b6ed9609907f099e7f09892662510850976bde97
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:21 2013 -0300

    float

diff --git a/meta b/meta
index c0bc41e..78272d0 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 532704a546b6b5b16675eaaad7d2885e53064e4c
-Head: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
+Previous: 47e0d3e47e78f161bcff74b05585031fca958b31
+Head: a42a02e1e7c652cc7780640ba20259c587532248
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -21,8 +21,8 @@ Applied:
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
   wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
-Unapplied:
   manual-document-mt-safety-stdio.patch: a42a02e1e7c652cc7780640ba20259c587532248
+Unapplied:
   wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=47e0d3e47e78f161bcff74b05585031fca958b31

commit 47e0d3e47e78f161bcff74b05585031fca958b31
Merge: 972eb6c 532704a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:18 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=972eb6cb6f7a241af3ef87b42260a2e30df44e76

commit 972eb6cb6f7a241af3ef87b42260a2e30df44e76
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:18 2013 -0300

    pop

diff --git a/meta b/meta
index 807199e..c0bc41e 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 96d44e67b9d8706145ee8f6a8cf32281036c25ab
-Head: a42a02e1e7c652cc7780640ba20259c587532248
+Previous: 532704a546b6b5b16675eaaad7d2885e53064e4c
+Head: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -21,8 +21,8 @@ Applied:
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
   wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
-  manual-document-mt-safety-stdio.patch: a42a02e1e7c652cc7780640ba20259c587532248
 Unapplied:
+  manual-document-mt-safety-stdio.patch: a42a02e1e7c652cc7780640ba20259c587532248
   wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=532704a546b6b5b16675eaaad7d2885e53064e4c

commit 532704a546b6b5b16675eaaad7d2885e53064e4c
Merge: c1eb56a 96d44e6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:13 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c1eb56aa4626150ce50e9d62a9353a0fbcff0868

commit c1eb56aa4626150ce50e9d62a9353a0fbcff0868
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:13 2013 -0300

    pop

diff --git a/meta b/meta
index 98c6446..807199e 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 5e554e8e90d5ac20e8728c2791e7eb569b0a72b9
-Head: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
+Previous: 96d44e67b9d8706145ee8f6a8cf32281036c25ab
+Head: a42a02e1e7c652cc7780640ba20259c587532248
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -22,8 +22,8 @@ Applied:
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
   wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
   manual-document-mt-safety-stdio.patch: a42a02e1e7c652cc7780640ba20259c587532248
-  wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
 Unapplied:
+  wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=96d44e67b9d8706145ee8f6a8cf32281036c25ab

commit 96d44e67b9d8706145ee8f6a8cf32281036c25ab
Merge: 7a80d63 4513b24 5e554e8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:11 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7a80d63908f847de4ae1d9ff1ffb55a1ca7eb67a

commit 7a80d63908f847de4ae1d9ff1ffb55a1ca7eb67a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:11 2013 -0300

    push

diff --git a/meta b/meta
index 2eb9196..98c6446 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: cff460bd8f3ab8dd9231a7dcad373a6ac24619c2
-Head: a42a02e1e7c652cc7780640ba20259c587532248
+Previous: 5e554e8e90d5ac20e8728c2791e7eb569b0a72b9
+Head: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -22,8 +22,8 @@ Applied:
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
   wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
   manual-document-mt-safety-stdio.patch: a42a02e1e7c652cc7780640ba20259c587532248
+  wip-manual-document-mt-safety-startup.patch: 4513b24df2381c1073bcb1b2eac60bddfc5f51da
 Unapplied:
-  wip-manual-document-mt-safety-startup.patch: c07dbdccb654913fa9dcb761709fb6000f6f1edf
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index ba122fe..93b8b21 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: d5ba9adc90be6728f409ed99bc36a2fc6e659db0
-Top:    151392b3790f3070194c6e79b03e9b88b9fb3052
+Bottom: 34850c3fae2002c32308b3353855e2de0a18b4d3
+Top:    9e26e65c6f5ad1ae860b4b03c429a90054cbb837
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4513b24df2381c1073bcb1b2eac60bddfc5f51da

commit 4513b24df2381c1073bcb1b2eac60bddfc5f51da
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5e554e8e90d5ac20e8728c2791e7eb569b0a72b9

commit 5e554e8e90d5ac20e8728c2791e7eb569b0a72b9
Merge: 9732f8f a42a02e cff460b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:03 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9732f8f54229b855d2133d521d803445a29dca98

commit 9732f8f54229b855d2133d521d803445a29dca98
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:22:03 2013 -0300

    float

diff --git a/meta b/meta
index 560ae1d..2eb9196 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 9b994d726d2334605ede7ee74e40464832004c1a
-Head: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
+Previous: cff460bd8f3ab8dd9231a7dcad373a6ac24619c2
+Head: a42a02e1e7c652cc7780640ba20259c587532248
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -21,9 +21,9 @@ Applied:
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
   wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
+  manual-document-mt-safety-stdio.patch: a42a02e1e7c652cc7780640ba20259c587532248
 Unapplied:
   wip-manual-document-mt-safety-startup.patch: c07dbdccb654913fa9dcb761709fb6000f6f1edf
-  manual-document-mt-safety-stdio.patch: da2ba42fc63d63defef49cb42670fb97e77a6179
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 2d0e681..439216f 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 151392b3790f3070194c6e79b03e9b88b9fb3052
-Top:    9e26e65c6f5ad1ae860b4b03c429a90054cbb837
+Bottom: d5ba9adc90be6728f409ed99bc36a2fc6e659db0
+Top:    34850c3fae2002c32308b3353855e2de0a18b4d3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a42a02e1e7c652cc7780640ba20259c587532248

commit a42a02e1e7c652cc7780640ba20259c587532248
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cff460bd8f3ab8dd9231a7dcad373a6ac24619c2

commit cff460bd8f3ab8dd9231a7dcad373a6ac24619c2
Merge: d40ff1e 9b994d7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:58 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d40ff1ed4d170ecf325d0020f9bfaf8294ed83f6

commit d40ff1ed4d170ecf325d0020f9bfaf8294ed83f6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:58 2013 -0300

    pop

diff --git a/meta b/meta
index 3a1710a..560ae1d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 797bbc4701e79da18f6ad5d0cccc653c322796ec
-Head: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
+Previous: 9b994d726d2334605ede7ee74e40464832004c1a
+Head: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -21,10 +21,10 @@ Applied:
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
   wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
+Unapplied:
   wip-manual-document-mt-safety-startup.patch: c07dbdccb654913fa9dcb761709fb6000f6f1edf
   manual-document-mt-safety-stdio.patch: da2ba42fc63d63defef49cb42670fb97e77a6179
   wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
-Unapplied:
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9b994d726d2334605ede7ee74e40464832004c1a

commit 9b994d726d2334605ede7ee74e40464832004c1a
Merge: 4136d52 797bbc4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:48 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4136d5230d1138fdd1ac4a9a54d7610c639b7ad0

commit 4136d5230d1138fdd1ac4a9a54d7610c639b7ad0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:48 2013 -0300

    rename

diff --git a/meta b/meta
index 63435a9..3a1710a 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 0677838a5cbf4e94dbbd80fbf2427d5fcce6cccf
+Previous: 797bbc4701e79da18f6ad5d0cccc653c322796ec
 Head: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
@@ -23,7 +23,7 @@ Applied:
   wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
   wip-manual-document-mt-safety-startup.patch: c07dbdccb654913fa9dcb761709fb6000f6f1edf
   manual-document-mt-safety-stdio.patch: da2ba42fc63d63defef49cb42670fb97e77a6179
-  manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
+  wip-manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
 Unapplied:
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
diff --git a/patches/manual-document-mt-safety-search.patch b/patches/wip-manual-document-mt-safety-search.patch
similarity index 100%
rename from patches/manual-document-mt-safety-search.patch
rename to patches/wip-manual-document-mt-safety-search.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a85a045f861e4eae2ee7a5ebddbba4ecb4b85087

commit a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=797bbc4701e79da18f6ad5d0cccc653c322796ec

commit 797bbc4701e79da18f6ad5d0cccc653c322796ec
Merge: 1fa6bb8 35815db 0677838
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:44 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1fa6bb80f706b8c748f2a422d94f118378cb3912

commit 1fa6bb80f706b8c748f2a422d94f118378cb3912
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:44 2013 -0300

    float

diff --git a/meta b/meta
index e48e739..63435a9 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 12fbe6a13e4a996cfabe7cd13dabc07a5377ce79
-Head: 4bbeb1050d394dac154d328416785d3a4737bfca
+Previous: 0677838a5cbf4e94dbbd80fbf2427d5fcce6cccf
+Head: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -20,10 +20,10 @@ Applied:
   manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
-  manual-document-mt-safety-search.patch: af52e291a0269b692e9e0570ba1d886714da159b
-  wip-manual-document-mt-safety-locale.patch: 166651bfa122c6352028365fa0f89c9dc3003751
-  wip-manual-document-mt-safety-startup.patch: f27de287f82231e5a93eaa44bafa8170abc3dce3
-  manual-document-mt-safety-stdio.patch: 4bbeb1050d394dac154d328416785d3a4737bfca
+  wip-manual-document-mt-safety-locale.patch: a85a045f861e4eae2ee7a5ebddbba4ecb4b85087
+  wip-manual-document-mt-safety-startup.patch: c07dbdccb654913fa9dcb761709fb6000f6f1edf
+  manual-document-mt-safety-stdio.patch: da2ba42fc63d63defef49cb42670fb97e77a6179
+  manual-document-mt-safety-search.patch: 35815dbc011f65ef76ad028cbc0b8b32381dd13a
 Unapplied:
   wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
diff --git a/patches/manual-document-mt-safety-search.patch b/patches/manual-document-mt-safety-search.patch
index e0ed5db..dfc7d5e 100644
--- a/patches/manual-document-mt-safety-search.patch
+++ b/patches/manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
-Top:    4b5bc3f694509a6dfd1b265acace61d889211e5c
+Bottom: 9e26e65c6f5ad1ae860b4b03c429a90054cbb837
+Top:    4275437ac31826c5f18c9a5e4b30e85235c02761
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 1259b54..2d0e681 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: d2881bc13111445c3cada2b810275ed5d685175c
-Top:    4275437ac31826c5f18c9a5e4b30e85235c02761
+Bottom: 151392b3790f3070194c6e79b03e9b88b9fb3052
+Top:    9e26e65c6f5ad1ae860b4b03c429a90054cbb837
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 148781b..c0945af 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 4b5bc3f694509a6dfd1b265acace61d889211e5c
-Top:    5bf8b68d0db01d2c779d9e0b745a266268200a3e
+Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
+Top:    d5ba9adc90be6728f409ed99bc36a2fc6e659db0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 2a9f16b..ba122fe 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 5bf8b68d0db01d2c779d9e0b745a266268200a3e
-Top:    d2881bc13111445c3cada2b810275ed5d685175c
+Bottom: d5ba9adc90be6728f409ed99bc36a2fc6e659db0
+Top:    151392b3790f3070194c6e79b03e9b88b9fb3052
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=35815dbc011f65ef76ad028cbc0b8b32381dd13a

commit 35815dbc011f65ef76ad028cbc0b8b32381dd13a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=da2ba42fc63d63defef49cb42670fb97e77a6179

commit da2ba42fc63d63defef49cb42670fb97e77a6179
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c07dbdccb654913fa9dcb761709fb6000f6f1edf

commit c07dbdccb654913fa9dcb761709fb6000f6f1edf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0677838a5cbf4e94dbbd80fbf2427d5fcce6cccf

commit 0677838a5cbf4e94dbbd80fbf2427d5fcce6cccf
Merge: dd3c527 12fbe6a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:40 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dd3c527fa4bba3a1bf657d9813343ea4ddf5107a

commit dd3c527fa4bba3a1bf657d9813343ea4ddf5107a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:40 2013 -0300

    pop

diff --git a/meta b/meta
index cc99f28..e48e739 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7cbb268fad337dff229e13ac8be69351cc57313f
-Head: 08d53f635c15ae65cc8f2347e47894394c5a651f
+Previous: 12fbe6a13e4a996cfabe7cd13dabc07a5377ce79
+Head: 4bbeb1050d394dac154d328416785d3a4737bfca
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -24,8 +24,8 @@ Applied:
   wip-manual-document-mt-safety-locale.patch: 166651bfa122c6352028365fa0f89c9dc3003751
   wip-manual-document-mt-safety-startup.patch: f27de287f82231e5a93eaa44bafa8170abc3dce3
   manual-document-mt-safety-stdio.patch: 4bbeb1050d394dac154d328416785d3a4737bfca
-  wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
 Unapplied:
+  wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
   wip-manual-document-mt-safety-threads.patch: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=12fbe6a13e4a996cfabe7cd13dabc07a5377ce79

commit 12fbe6a13e4a996cfabe7cd13dabc07a5377ce79
Merge: bec2827 7cbb268
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:21 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bec2827536c90ffded6a98f176ef0a4f9f10d849

commit bec2827536c90ffded6a98f176ef0a4f9f10d849
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:21 2013 -0300

    rename

diff --git a/meta b/meta
index 9ebd437..cc99f28 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 74ac784fe3cc7e497dd1777f02a8c29ec6152a44
+Previous: 7cbb268fad337dff229e13ac8be69351cc57313f
 Head: 08d53f635c15ae65cc8f2347e47894394c5a651f
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
@@ -24,7 +24,7 @@ Applied:
   wip-manual-document-mt-safety-locale.patch: 166651bfa122c6352028365fa0f89c9dc3003751
   wip-manual-document-mt-safety-startup.patch: f27de287f82231e5a93eaa44bafa8170abc3dce3
   manual-document-mt-safety-stdio.patch: 4bbeb1050d394dac154d328416785d3a4737bfca
-  manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
+  wip-manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
 Unapplied:
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
diff --git a/patches/manual-document-mt-safety-resource.patch b/patches/wip-manual-document-mt-safety-resource.patch
similarity index 100%
rename from patches/manual-document-mt-safety-resource.patch
rename to patches/wip-manual-document-mt-safety-resource.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7cbb268fad337dff229e13ac8be69351cc57313f

commit 7cbb268fad337dff229e13ac8be69351cc57313f
Merge: 41a10da 08d53f6 74ac784
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:17 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=41a10daef46a1694e219ab21a7068c43f99882e7

commit 41a10daef46a1694e219ab21a7068c43f99882e7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:21:17 2013 -0300

    float

diff --git a/meta b/meta
index 3391b8b..9ebd437 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b03f8aa8fb7d6c4c3d64881c3f334e1605f344c9
-Head: c3cb182414605a752cfd0de3f8ff1637db9aeddb
+Previous: 74ac784fe3cc7e497dd1777f02a8c29ec6152a44
+Head: 08d53f635c15ae65cc8f2347e47894394c5a651f
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -20,11 +20,11 @@ Applied:
   manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
   manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
-  manual-document-mt-safety-resource.patch: c67d9b0e48706ad7a6ce8afb05575d2da8a739ce
-  manual-document-mt-safety-search.patch: a178ba9d66b1669f239966e51b89a7409aa3a762
-  wip-manual-document-mt-safety-locale.patch: 1080909eb844c0072328bc632d8a57287ad64752
-  wip-manual-document-mt-safety-startup.patch: 5101825e252b39ea192475db1ffaaeef5f155a46
-  manual-document-mt-safety-stdio.patch: c3cb182414605a752cfd0de3f8ff1637db9aeddb
+  manual-document-mt-safety-search.patch: af52e291a0269b692e9e0570ba1d886714da159b
+  wip-manual-document-mt-safety-locale.patch: 166651bfa122c6352028365fa0f89c9dc3003751
+  wip-manual-document-mt-safety-startup.patch: f27de287f82231e5a93eaa44bafa8170abc3dce3
+  manual-document-mt-safety-stdio.patch: 4bbeb1050d394dac154d328416785d3a4737bfca
+  manual-document-mt-safety-resource.patch: 08d53f635c15ae65cc8f2347e47894394c5a651f
 Unapplied:
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
diff --git a/patches/manual-document-mt-safety-resource.patch b/patches/manual-document-mt-safety-resource.patch
index 8309358..4b6d73f 100644
--- a/patches/manual-document-mt-safety-resource.patch
+++ b/patches/manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
-Top:    77b17631d0ac215fede974ceace7c0d6c28a75cd
+Bottom: 4275437ac31826c5f18c9a5e4b30e85235c02761
+Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/manual-document-mt-safety-search.patch b/patches/manual-document-mt-safety-search.patch
index 3e786ab..e0ed5db 100644
--- a/patches/manual-document-mt-safety-search.patch
+++ b/patches/manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 77b17631d0ac215fede974ceace7c0d6c28a75cd
-Top:    cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
+Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
+Top:    4b5bc3f694509a6dfd1b265acace61d889211e5c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 8b416af..1259b54 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 195f80ed20d8cfa61af3b5629d405de8be7b40fc
-Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
+Bottom: d2881bc13111445c3cada2b810275ed5d685175c
+Top:    4275437ac31826c5f18c9a5e4b30e85235c02761
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index dbff60e..148781b 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
-Top:    8ae75524ca0a1176e4323c74b73cb0722e710364
+Bottom: 4b5bc3f694509a6dfd1b265acace61d889211e5c
+Top:    5bf8b68d0db01d2c779d9e0b745a266268200a3e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index cd2fcf0..2a9f16b 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 8ae75524ca0a1176e4323c74b73cb0722e710364
-Top:    195f80ed20d8cfa61af3b5629d405de8be7b40fc
+Bottom: 5bf8b68d0db01d2c779d9e0b745a266268200a3e
+Top:    d2881bc13111445c3cada2b810275ed5d685175c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=08d53f635c15ae65cc8f2347e47894394c5a651f

commit 08d53f635c15ae65cc8f2347e47894394c5a651f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4bbeb1050d394dac154d328416785d3a4737bfca

commit 4bbeb1050d394dac154d328416785d3a4737bfca
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f27de287f82231e5a93eaa44bafa8170abc3dce3

commit f27de287f82231e5a93eaa44bafa8170abc3dce3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=166651bfa122c6352028365fa0f89c9dc3003751

commit 166651bfa122c6352028365fa0f89c9dc3003751
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=af52e291a0269b692e9e0570ba1d886714da159b

commit af52e291a0269b692e9e0570ba1d886714da159b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=74ac784fe3cc7e497dd1777f02a8c29ec6152a44

commit 74ac784fe3cc7e497dd1777f02a8c29ec6152a44
Merge: 892a074 b03f8aa
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:20:38 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=892a074da1bfdf18e6f8f87cacccfc72d66f10a3

commit 892a074da1bfdf18e6f8f87cacccfc72d66f10a3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:20:38 2013 -0300

    rename

diff --git a/meta b/meta
index 45c1261..3391b8b 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: a635047355e7efe75f06ce47d6afc804f73fc513
+Previous: b03f8aa8fb7d6c4c3d64881c3f334e1605f344c9
 Head: c3cb182414605a752cfd0de3f8ff1637db9aeddb
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
@@ -24,7 +24,7 @@ Applied:
   manual-document-mt-safety-search.patch: a178ba9d66b1669f239966e51b89a7409aa3a762
   wip-manual-document-mt-safety-locale.patch: 1080909eb844c0072328bc632d8a57287ad64752
   wip-manual-document-mt-safety-startup.patch: 5101825e252b39ea192475db1ffaaeef5f155a46
-  wip-manual-document-mt-safety-stdio.patch: c3cb182414605a752cfd0de3f8ff1637db9aeddb
+  manual-document-mt-safety-stdio.patch: c3cb182414605a752cfd0de3f8ff1637db9aeddb
 Unapplied:
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
diff --git a/patches/wip-manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
similarity index 100%
rename from patches/wip-manual-document-mt-safety-stdio.patch
rename to patches/manual-document-mt-safety-stdio.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b03f8aa8fb7d6c4c3d64881c3f334e1605f344c9

commit b03f8aa8fb7d6c4c3d64881c3f334e1605f344c9
Merge: efa6546 a635047
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:20:11 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=efa654693e2dd7542014b410dc9f49bb18f37ba6

commit efa654693e2dd7542014b410dc9f49bb18f37ba6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:20:11 2013 -0300

    rename

diff --git a/meta b/meta
index 3844d46..45c1261 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 214bfe37ebde7efdc4e4b26b55512d35ebdc1f0e
+Previous: a635047355e7efe75f06ce47d6afc804f73fc513
 Head: c3cb182414605a752cfd0de3f8ff1637db9aeddb
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
@@ -24,7 +24,7 @@ Applied:
   manual-document-mt-safety-search.patch: a178ba9d66b1669f239966e51b89a7409aa3a762
   wip-manual-document-mt-safety-locale.patch: 1080909eb844c0072328bc632d8a57287ad64752
   wip-manual-document-mt-safety-startup.patch: 5101825e252b39ea192475db1ffaaeef5f155a46
-  manual-document-mt-safety-stdio.patch: c3cb182414605a752cfd0de3f8ff1637db9aeddb
+  wip-manual-document-mt-safety-stdio.patch: c3cb182414605a752cfd0de3f8ff1637db9aeddb
 Unapplied:
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/wip-manual-document-mt-safety-stdio.patch
similarity index 100%
rename from patches/manual-document-mt-safety-stdio.patch
rename to patches/wip-manual-document-mt-safety-stdio.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a635047355e7efe75f06ce47d6afc804f73fc513

commit a635047355e7efe75f06ce47d6afc804f73fc513
Merge: f233fd0 214bfe3 c3cb182
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:20:05 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f233fd0cb20891129d27b957f9ef80fdf470441d

commit f233fd0cb20891129d27b957f9ef80fdf470441d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:20:05 2013 -0300

    float

diff --git a/meta b/meta
index 4b93421..3844d46 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b7a1180b29f8e1785e9467dfbb8c4df59801236a
-Head: 06713123a0b742b742a1093deb32978e84799d02
+Previous: 214bfe37ebde7efdc4e4b26b55512d35ebdc1f0e
+Head: c3cb182414605a752cfd0de3f8ff1637db9aeddb
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -22,9 +22,9 @@ Applied:
   manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
   manual-document-mt-safety-resource.patch: c67d9b0e48706ad7a6ce8afb05575d2da8a739ce
   manual-document-mt-safety-search.patch: a178ba9d66b1669f239966e51b89a7409aa3a762
-  manual-document-mt-safety-stdio.patch: f58d7939271296d5d0b2e459b13c3f0ba92705a6
-  wip-manual-document-mt-safety-locale.patch: 15f732902e7b031fbb6663b8dfe1c097ca9396d2
-  wip-manual-document-mt-safety-startup.patch: 06713123a0b742b742a1093deb32978e84799d02
+  wip-manual-document-mt-safety-locale.patch: 1080909eb844c0072328bc632d8a57287ad64752
+  wip-manual-document-mt-safety-startup.patch: 5101825e252b39ea192475db1ffaaeef5f155a46
+  manual-document-mt-safety-stdio.patch: c3cb182414605a752cfd0de3f8ff1637db9aeddb
 Unapplied:
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 1e0cfc0..8b416af 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
-Top:    52792116005976e16d455f880f0b2d381882e671
+Bottom: 195f80ed20d8cfa61af3b5629d405de8be7b40fc
+Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index d5c1830..dbff60e 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 52792116005976e16d455f880f0b2d381882e671
-Top:    a529301c800b3ca93ba927e5d69da7dd7cafbae7
+Bottom: cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
+Top:    8ae75524ca0a1176e4323c74b73cb0722e710364
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 0cf63b1..cd2fcf0 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: a529301c800b3ca93ba927e5d69da7dd7cafbae7
-Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
+Bottom: 8ae75524ca0a1176e4323c74b73cb0722e710364
+Top:    195f80ed20d8cfa61af3b5629d405de8be7b40fc
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c3cb182414605a752cfd0de3f8ff1637db9aeddb

commit c3cb182414605a752cfd0de3f8ff1637db9aeddb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5101825e252b39ea192475db1ffaaeef5f155a46

commit 5101825e252b39ea192475db1ffaaeef5f155a46
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1080909eb844c0072328bc632d8a57287ad64752

commit 1080909eb844c0072328bc632d8a57287ad64752
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=214bfe37ebde7efdc4e4b26b55512d35ebdc1f0e

commit 214bfe37ebde7efdc4e4b26b55512d35ebdc1f0e
Merge: 73cda38 0671312 b7a1180
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:20:00 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=73cda380eb4cc913cb7e2827ee6e7f4fcd468c53

commit 73cda380eb4cc913cb7e2827ee6e7f4fcd468c53
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:20:00 2013 -0300

    goto

diff --git a/meta b/meta
index e3af5e5..4b93421 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: dfd49e9a54444aeb91fb80326a2b52b1b2b4fe5f
-Head: 290ed306adba817ec4cb4f5207e63269e7990930
+Previous: b7a1180b29f8e1785e9467dfbb8c4df59801236a
+Head: 06713123a0b742b742a1093deb32978e84799d02
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -16,16 +16,16 @@ Applied:
   manual-document-mt-safety-filesys.patch: 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
   manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
+  manual-document-mt-safety-job.patch: 57c129a7691ad66436b380272a24d356111b19bf
+  manual-document-mt-safety-lang.patch: e1bee872da33bdb7b911d4cd111906a390b9ea8a
+  manual-document-mt-safety-llio.patch: 51babe049dfe3862b311b4ebbfd87a8eb915528c
+  manual-document-mt-safety-math.patch: ad614ca21bb3d439075824533620448aaca7dca6
+  manual-document-mt-safety-resource.patch: c67d9b0e48706ad7a6ce8afb05575d2da8a739ce
+  manual-document-mt-safety-search.patch: a178ba9d66b1669f239966e51b89a7409aa3a762
+  manual-document-mt-safety-stdio.patch: f58d7939271296d5d0b2e459b13c3f0ba92705a6
+  wip-manual-document-mt-safety-locale.patch: 15f732902e7b031fbb6663b8dfe1c097ca9396d2
+  wip-manual-document-mt-safety-startup.patch: 06713123a0b742b742a1093deb32978e84799d02
 Unapplied:
-  manual-document-mt-safety-job.patch: 07add391d6215283f7338e451060a144bd241bd9
-  manual-document-mt-safety-lang.patch: 722fae4ea63db2a00f51c08a14d723ad87fd97d9
-  manual-document-mt-safety-llio.patch: 40fb222a22df4ba14615f2276530f1f17682e084
-  manual-document-mt-safety-math.patch: 1f1722344cc379ee50d34f34beaf20fa65b35e2a
-  manual-document-mt-safety-resource.patch: 70fda0831b0d41b658cc1f962cc520e9c16d213e
-  manual-document-mt-safety-search.patch: c0dcc89166196b52cae3da929ae1573d65a3a79f
-  manual-document-mt-safety-stdio.patch: 3af704e77dec1dd398bc0f54ca39b1699c0302fe
-  wip-manual-document-mt-safety-locale.patch: 726e2d92020c1b7d1143d63c5b5137132e418c71
-  wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
   wip-manual-document-mt-safety-threads.patch: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index b4d3b96..e6f679b 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: 18760d732995b8379bc372377398a8fd58732762
-Top:    78811ad7f6f34dae902d17fe9939b1ed2877fc8c
+Bottom: 08a4456877254843d89c18fe88e4c0431857fcff
+Top:    b58e76e4078fdee40947d68820e0f861f8cac2de
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index eef82af..09d2cc9 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: 78811ad7f6f34dae902d17fe9939b1ed2877fc8c
-Top:    95e3af012c2d8222ce9c18f313b200f086405d32
+Bottom: b58e76e4078fdee40947d68820e0f861f8cac2de
+Top:    5d6bbf322290ec49c7df2274a5b3ec79d32fd303
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 4f4042d..274aefd 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 95e3af012c2d8222ce9c18f313b200f086405d32
-Top:    d984e43548394d87c0dcc06e8f1f954337bf1f0b
+Bottom: 5d6bbf322290ec49c7df2274a5b3ec79d32fd303
+Top:    baf6738652c9240a7ea48273cff318ffb17716d8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index bdc9eab..9f1572f 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: d984e43548394d87c0dcc06e8f1f954337bf1f0b
-Top:    ed5585f43f682f64747d87313aa8fa6455b413af
+Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
+Top:    fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-resource.patch b/patches/manual-document-mt-safety-resource.patch
index 9cf449a..8309358 100644
--- a/patches/manual-document-mt-safety-resource.patch
+++ b/patches/manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: ed5585f43f682f64747d87313aa8fa6455b413af
-Top:    e75af3e584fdb6c5c7a273cced643b65589309d7
+Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
+Top:    77b17631d0ac215fede974ceace7c0d6c28a75cd
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/manual-document-mt-safety-search.patch b/patches/manual-document-mt-safety-search.patch
index 90717fa..3e786ab 100644
--- a/patches/manual-document-mt-safety-search.patch
+++ b/patches/manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: e75af3e584fdb6c5c7a273cced643b65589309d7
-Top:    0c26a00f734d8fe44375085ab3cbede5d3b6b712
+Bottom: 77b17631d0ac215fede974ceace7c0d6c28a75cd
+Top:    cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index e2e4efd..1e0cfc0 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 0c26a00f734d8fe44375085ab3cbede5d3b6b712
-Top:    1ce30a1e33cc504649b7c4c096dbbfb1141d92f9
+Bottom: cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
+Top:    52792116005976e16d455f880f0b2d381882e671
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=51babe049dfe3862b311b4ebbfd87a8eb915528c

commit 51babe049dfe3862b311b4ebbfd87a8eb915528c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ad614ca21bb3d439075824533620448aaca7dca6

commit ad614ca21bb3d439075824533620448aaca7dca6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a178ba9d66b1669f239966e51b89a7409aa3a762

commit a178ba9d66b1669f239966e51b89a7409aa3a762
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=06713123a0b742b742a1093deb32978e84799d02

commit 06713123a0b742b742a1093deb32978e84799d02
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e1bee872da33bdb7b911d4cd111906a390b9ea8a

commit e1bee872da33bdb7b911d4cd111906a390b9ea8a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c67d9b0e48706ad7a6ce8afb05575d2da8a739ce

commit c67d9b0e48706ad7a6ce8afb05575d2da8a739ce
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=15f732902e7b031fbb6663b8dfe1c097ca9396d2

commit 15f732902e7b031fbb6663b8dfe1c097ca9396d2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f58d7939271296d5d0b2e459b13c3f0ba92705a6

commit f58d7939271296d5d0b2e459b13c3f0ba92705a6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=57c129a7691ad66436b380272a24d356111b19bf

commit 57c129a7691ad66436b380272a24d356111b19bf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b7a1180b29f8e1785e9467dfbb8c4df59801236a

commit b7a1180b29f8e1785e9467dfbb8c4df59801236a
Merge: d734882 dfd49e9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:40 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d73488258df3a8ec3c814776d0831682e2dea189

commit d73488258df3a8ec3c814776d0831682e2dea189
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:40 2013 -0300

    rename

diff --git a/meta b/meta
index 2107ada..e3af5e5 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: df394563a1a1bdefbb23875c4edfd069bebfc906
+Previous: dfd49e9a54444aeb91fb80326a2b52b1b2b4fe5f
 Head: 290ed306adba817ec4cb4f5207e63269e7990930
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
@@ -15,7 +15,7 @@ Applied:
   manual-document-mt-safety-errno.patch: 4c83ae2974e8153950355eca983b33e13bad7490
   manual-document-mt-safety-filesys.patch: 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
-  wip-manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
+  manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
 Unapplied:
   manual-document-mt-safety-job.patch: 07add391d6215283f7338e451060a144bd241bd9
   manual-document-mt-safety-lang.patch: 722fae4ea63db2a00f51c08a14d723ad87fd97d9
diff --git a/patches/wip-manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
similarity index 100%
rename from patches/wip-manual-document-mt-safety-libdl.patch
rename to patches/manual-document-mt-safety-libdl.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=290ed306adba817ec4cb4f5207e63269e7990930

commit 290ed306adba817ec4cb4f5207e63269e7990930
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dfd49e9a54444aeb91fb80326a2b52b1b2b4fe5f

commit dfd49e9a54444aeb91fb80326a2b52b1b2b4fe5f
Merge: f843e04 290ed30 df39456
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:36 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f843e04b4c4cd54ee3f947dc222945f2d82812c6

commit f843e04b4c4cd54ee3f947dc222945f2d82812c6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:36 2013 -0300

    float

diff --git a/meta b/meta
index 499b44d..2107ada 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 07cc4f7a608825d04282ff8cf93024496dbcd0dd
-Head: 178c538fec626552e7ec57072a93b3715623e6ac
+Previous: df394563a1a1bdefbb23875c4edfd069bebfc906
+Head: 290ed306adba817ec4cb4f5207e63269e7990930
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -15,6 +15,7 @@ Applied:
   manual-document-mt-safety-errno.patch: 4c83ae2974e8153950355eca983b33e13bad7490
   manual-document-mt-safety-filesys.patch: 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
+  wip-manual-document-mt-safety-libdl.patch: 290ed306adba817ec4cb4f5207e63269e7990930
 Unapplied:
   manual-document-mt-safety-job.patch: 07add391d6215283f7338e451060a144bd241bd9
   manual-document-mt-safety-lang.patch: 722fae4ea63db2a00f51c08a14d723ad87fd97d9
@@ -23,7 +24,6 @@ Unapplied:
   manual-document-mt-safety-resource.patch: 70fda0831b0d41b658cc1f962cc520e9c16d213e
   manual-document-mt-safety-search.patch: c0dcc89166196b52cae3da929ae1573d65a3a79f
   manual-document-mt-safety-stdio.patch: 3af704e77dec1dd398bc0f54ca39b1699c0302fe
-  wip-manual-document-mt-safety-libdl.patch: 1c3dd47ad53efd25fa2a616493c73c3d197af0ff
   wip-manual-document-mt-safety-locale.patch: 726e2d92020c1b7d1143d63c5b5137132e418c71
   wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
diff --git a/patches/wip-manual-document-mt-safety-libdl.patch b/patches/wip-manual-document-mt-safety-libdl.patch
index 3be5a88..abfb497 100644
--- a/patches/wip-manual-document-mt-safety-libdl.patch
+++ b/patches/wip-manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: 1ce30a1e33cc504649b7c4c096dbbfb1141d92f9
-Top:    52792116005976e16d455f880f0b2d381882e671
+Bottom: 18760d732995b8379bc372377398a8fd58732762
+Top:    08a4456877254843d89c18fe88e4c0431857fcff
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=df394563a1a1bdefbb23875c4edfd069bebfc906

commit df394563a1a1bdefbb23875c4edfd069bebfc906
Merge: 9803524 07cc4f7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:31 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=980352436391bca67ab0913116cf51fb5f9576a2

commit 980352436391bca67ab0913116cf51fb5f9576a2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:31 2013 -0300

    goto

diff --git a/meta b/meta
index 4d6d6fe..499b44d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 89dab3a09c52dc578a0bf773023be89522f9e07c
-Head: 1c3dd47ad53efd25fa2a616493c73c3d197af0ff
+Previous: 07cc4f7a608825d04282ff8cf93024496dbcd0dd
+Head: 178c538fec626552e7ec57072a93b3715623e6ac
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -15,6 +15,7 @@ Applied:
   manual-document-mt-safety-errno.patch: 4c83ae2974e8153950355eca983b33e13bad7490
   manual-document-mt-safety-filesys.patch: 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
+Unapplied:
   manual-document-mt-safety-job.patch: 07add391d6215283f7338e451060a144bd241bd9
   manual-document-mt-safety-lang.patch: 722fae4ea63db2a00f51c08a14d723ad87fd97d9
   manual-document-mt-safety-llio.patch: 40fb222a22df4ba14615f2276530f1f17682e084
@@ -23,7 +24,6 @@ Applied:
   manual-document-mt-safety-search.patch: c0dcc89166196b52cae3da929ae1573d65a3a79f
   manual-document-mt-safety-stdio.patch: 3af704e77dec1dd398bc0f54ca39b1699c0302fe
   wip-manual-document-mt-safety-libdl.patch: 1c3dd47ad53efd25fa2a616493c73c3d197af0ff
-Unapplied:
   wip-manual-document-mt-safety-locale.patch: 726e2d92020c1b7d1143d63c5b5137132e418c71
   wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=07cc4f7a608825d04282ff8cf93024496dbcd0dd

commit 07cc4f7a608825d04282ff8cf93024496dbcd0dd
Merge: 4fbe0fd 89dab3a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:14 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4fbe0fd02915da0b97c6193433f064858047097f

commit 4fbe0fd02915da0b97c6193433f064858047097f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:14 2013 -0300

    rename

diff --git a/meta b/meta
index a56a1ba..4d6d6fe 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 683b11d7ba63f7d33a738ee3e455d709430060a5
+Previous: 89dab3a09c52dc578a0bf773023be89522f9e07c
 Head: 1c3dd47ad53efd25fa2a616493c73c3d197af0ff
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
@@ -22,7 +22,7 @@ Applied:
   manual-document-mt-safety-resource.patch: 70fda0831b0d41b658cc1f962cc520e9c16d213e
   manual-document-mt-safety-search.patch: c0dcc89166196b52cae3da929ae1573d65a3a79f
   manual-document-mt-safety-stdio.patch: 3af704e77dec1dd398bc0f54ca39b1699c0302fe
-  manual-document-mt-safety-libdl.patch: 1c3dd47ad53efd25fa2a616493c73c3d197af0ff
+  wip-manual-document-mt-safety-libdl.patch: 1c3dd47ad53efd25fa2a616493c73c3d197af0ff
 Unapplied:
   wip-manual-document-mt-safety-locale.patch: 726e2d92020c1b7d1143d63c5b5137132e418c71
   wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/wip-manual-document-mt-safety-libdl.patch
similarity index 100%
rename from patches/manual-document-mt-safety-libdl.patch
rename to patches/wip-manual-document-mt-safety-libdl.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=89dab3a09c52dc578a0bf773023be89522f9e07c

commit 89dab3a09c52dc578a0bf773023be89522f9e07c
Merge: 04e9c88 683b11d 1c3dd47
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:10 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=04e9c88f083f13dcd5dc89ec56408b62c0a3ce65

commit 04e9c88f083f13dcd5dc89ec56408b62c0a3ce65
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:10 2013 -0300

    float

diff --git a/meta b/meta
index 8eb614f..a56a1ba 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 4ad8782a5913237d5f4f4770c0cb2997bf1e5d39
-Head: e69879f1fd2ffbc9da13aecf65eb9a6d2a10932d
+Previous: 683b11d7ba63f7d33a738ee3e455d709430060a5
+Head: 1c3dd47ad53efd25fa2a616493c73c3d197af0ff
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -17,12 +17,12 @@ Applied:
   manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
   manual-document-mt-safety-job.patch: 07add391d6215283f7338e451060a144bd241bd9
   manual-document-mt-safety-lang.patch: 722fae4ea63db2a00f51c08a14d723ad87fd97d9
-  manual-document-mt-safety-libdl.patch: 5830f31e3722b9269c618a39bfd56052c609d711
-  manual-document-mt-safety-llio.patch: f7b80d2460a6a65a292c067bfaf12d714767bcf9
-  manual-document-mt-safety-math.patch: abf0509619f09c0ea5350931563012ae3f2a84ff
-  manual-document-mt-safety-resource.patch: c3461a1ad69328498c40542218f476af25478aec
-  manual-document-mt-safety-search.patch: 51c941036cb82913f64a97d34be1d4236cb6fd4f
-  manual-document-mt-safety-stdio.patch: e69879f1fd2ffbc9da13aecf65eb9a6d2a10932d
+  manual-document-mt-safety-llio.patch: 40fb222a22df4ba14615f2276530f1f17682e084
+  manual-document-mt-safety-math.patch: 1f1722344cc379ee50d34f34beaf20fa65b35e2a
+  manual-document-mt-safety-resource.patch: 70fda0831b0d41b658cc1f962cc520e9c16d213e
+  manual-document-mt-safety-search.patch: c0dcc89166196b52cae3da929ae1573d65a3a79f
+  manual-document-mt-safety-stdio.patch: 3af704e77dec1dd398bc0f54ca39b1699c0302fe
+  manual-document-mt-safety-libdl.patch: 1c3dd47ad53efd25fa2a616493c73c3d197af0ff
 Unapplied:
   wip-manual-document-mt-safety-locale.patch: 726e2d92020c1b7d1143d63c5b5137132e418c71
   wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 51626a1..3be5a88 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: 95e3af012c2d8222ce9c18f313b200f086405d32
-Top:    5d6bbf322290ec49c7df2274a5b3ec79d32fd303
+Bottom: 1ce30a1e33cc504649b7c4c096dbbfb1141d92f9
+Top:    52792116005976e16d455f880f0b2d381882e671
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 274aefd..4f4042d 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 5d6bbf322290ec49c7df2274a5b3ec79d32fd303
-Top:    baf6738652c9240a7ea48273cff318ffb17716d8
+Bottom: 95e3af012c2d8222ce9c18f313b200f086405d32
+Top:    d984e43548394d87c0dcc06e8f1f954337bf1f0b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index 9f1572f..bdc9eab 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
-Top:    fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
+Bottom: d984e43548394d87c0dcc06e8f1f954337bf1f0b
+Top:    ed5585f43f682f64747d87313aa8fa6455b413af
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-resource.patch b/patches/manual-document-mt-safety-resource.patch
index 8309358..9cf449a 100644
--- a/patches/manual-document-mt-safety-resource.patch
+++ b/patches/manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
-Top:    77b17631d0ac215fede974ceace7c0d6c28a75cd
+Bottom: ed5585f43f682f64747d87313aa8fa6455b413af
+Top:    e75af3e584fdb6c5c7a273cced643b65589309d7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/manual-document-mt-safety-search.patch b/patches/manual-document-mt-safety-search.patch
index 3e786ab..90717fa 100644
--- a/patches/manual-document-mt-safety-search.patch
+++ b/patches/manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: 77b17631d0ac215fede974ceace7c0d6c28a75cd
-Top:    cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
+Bottom: e75af3e584fdb6c5c7a273cced643b65589309d7
+Top:    0c26a00f734d8fe44375085ab3cbede5d3b6b712
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 1e0cfc0..e2e4efd 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
-Top:    52792116005976e16d455f880f0b2d381882e671
+Bottom: 0c26a00f734d8fe44375085ab3cbede5d3b6b712
+Top:    1ce30a1e33cc504649b7c4c096dbbfb1141d92f9
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1c3dd47ad53efd25fa2a616493c73c3d197af0ff

commit 1c3dd47ad53efd25fa2a616493c73c3d197af0ff
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3af704e77dec1dd398bc0f54ca39b1699c0302fe

commit 3af704e77dec1dd398bc0f54ca39b1699c0302fe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c0dcc89166196b52cae3da929ae1573d65a3a79f

commit c0dcc89166196b52cae3da929ae1573d65a3a79f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=70fda0831b0d41b658cc1f962cc520e9c16d213e

commit 70fda0831b0d41b658cc1f962cc520e9c16d213e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1f1722344cc379ee50d34f34beaf20fa65b35e2a

commit 1f1722344cc379ee50d34f34beaf20fa65b35e2a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=40fb222a22df4ba14615f2276530f1f17682e084

commit 40fb222a22df4ba14615f2276530f1f17682e084
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=683b11d7ba63f7d33a738ee3e455d709430060a5

commit 683b11d7ba63f7d33a738ee3e455d709430060a5
Merge: 087e7c5 4ad8782
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:03 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=087e7c525fc9850ac2362eb36f93945216d985b9

commit 087e7c525fc9850ac2362eb36f93945216d985b9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:19:03 2013 -0300

    pop

diff --git a/meta b/meta
index f69e02d..8eb614f 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 33d29b6c8744e4e6e9ca69398c75e66fea7ee3ab
-Head: 726e2d92020c1b7d1143d63c5b5137132e418c71
+Previous: 4ad8782a5913237d5f4f4770c0cb2997bf1e5d39
+Head: e69879f1fd2ffbc9da13aecf65eb9a6d2a10932d
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -23,8 +23,8 @@ Applied:
   manual-document-mt-safety-resource.patch: c3461a1ad69328498c40542218f476af25478aec
   manual-document-mt-safety-search.patch: 51c941036cb82913f64a97d34be1d4236cb6fd4f
   manual-document-mt-safety-stdio.patch: e69879f1fd2ffbc9da13aecf65eb9a6d2a10932d
-  wip-manual-document-mt-safety-locale.patch: 726e2d92020c1b7d1143d63c5b5137132e418c71
 Unapplied:
+  wip-manual-document-mt-safety-locale.patch: 726e2d92020c1b7d1143d63c5b5137132e418c71
   wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4ad8782a5913237d5f4f4770c0cb2997bf1e5d39

commit 4ad8782a5913237d5f4f4770c0cb2997bf1e5d39
Merge: 6c92768 33d29b6 726e2d9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:16:12 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6c92768daac54ca055fa5e5e7a72f70982605cc9

commit 6c92768daac54ca055fa5e5e7a72f70982605cc9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:16:12 2013 -0300

    float

diff --git a/meta b/meta
index 4f84155..f69e02d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b5b96c66612e157138c818fc8a3efb61be698f64
-Head: 156684c20844d37d6b15b923f58aff88991696a9
+Previous: 33d29b6c8744e4e6e9ca69398c75e66fea7ee3ab
+Head: 726e2d92020c1b7d1143d63c5b5137132e418c71
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -19,11 +19,11 @@ Applied:
   manual-document-mt-safety-lang.patch: 722fae4ea63db2a00f51c08a14d723ad87fd97d9
   manual-document-mt-safety-libdl.patch: 5830f31e3722b9269c618a39bfd56052c609d711
   manual-document-mt-safety-llio.patch: f7b80d2460a6a65a292c067bfaf12d714767bcf9
-  wip-manual-document-mt-safety-locale.patch: ad4e6d6ef856e42ce04d66bc8c06c31523edb9bb
-  manual-document-mt-safety-math.patch: 4651ae36240aaaf68cdb47687889274248e1274b
-  manual-document-mt-safety-resource.patch: 42e85e03ab026a86c127b7d0ec7fb94e1a94f75f
-  manual-document-mt-safety-search.patch: 974ea38cb1486c677456bd449b95ee18e3e7ecc3
-  manual-document-mt-safety-stdio.patch: 156684c20844d37d6b15b923f58aff88991696a9
+  manual-document-mt-safety-math.patch: abf0509619f09c0ea5350931563012ae3f2a84ff
+  manual-document-mt-safety-resource.patch: c3461a1ad69328498c40542218f476af25478aec
+  manual-document-mt-safety-search.patch: 51c941036cb82913f64a97d34be1d4236cb6fd4f
+  manual-document-mt-safety-stdio.patch: e69879f1fd2ffbc9da13aecf65eb9a6d2a10932d
+  wip-manual-document-mt-safety-locale.patch: 726e2d92020c1b7d1143d63c5b5137132e418c71
 Unapplied:
   wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index 66820ca..9f1572f 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 9a5ec672bda784c35e1f86d0f274cdb9e58f217c
-Top:    d5ba9adc90be6728f409ed99bc36a2fc6e659db0
+Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
+Top:    fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-resource.patch b/patches/manual-document-mt-safety-resource.patch
index 3fa9fb2..8309358 100644
--- a/patches/manual-document-mt-safety-resource.patch
+++ b/patches/manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: d5ba9adc90be6728f409ed99bc36a2fc6e659db0
-Top:    e27f818dd7517eeba6c572017e1d77241113d456
+Bottom: fca3ed18d5fc63652aeb45f6c8c8c8e1acfb3f02
+Top:    77b17631d0ac215fede974ceace7c0d6c28a75cd
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/manual-document-mt-safety-search.patch b/patches/manual-document-mt-safety-search.patch
index fb52bb3..3e786ab 100644
--- a/patches/manual-document-mt-safety-search.patch
+++ b/patches/manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: e27f818dd7517eeba6c572017e1d77241113d456
-Top:    8ae75524ca0a1176e4323c74b73cb0722e710364
+Bottom: 77b17631d0ac215fede974ceace7c0d6c28a75cd
+Top:    cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 52710b6..1e0cfc0 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 8ae75524ca0a1176e4323c74b73cb0722e710364
-Top:    a529301c800b3ca93ba927e5d69da7dd7cafbae7
+Bottom: cbe4e4c5b0ee9abd94487f5c47ff479c7d086400
+Top:    52792116005976e16d455f880f0b2d381882e671
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 6515b05..d5c1830 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
-Top:    9a5ec672bda784c35e1f86d0f274cdb9e58f217c
+Bottom: 52792116005976e16d455f880f0b2d381882e671
+Top:    a529301c800b3ca93ba927e5d69da7dd7cafbae7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=726e2d92020c1b7d1143d63c5b5137132e418c71

commit 726e2d92020c1b7d1143d63c5b5137132e418c71
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e69879f1fd2ffbc9da13aecf65eb9a6d2a10932d

commit e69879f1fd2ffbc9da13aecf65eb9a6d2a10932d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=51c941036cb82913f64a97d34be1d4236cb6fd4f

commit 51c941036cb82913f64a97d34be1d4236cb6fd4f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c3461a1ad69328498c40542218f476af25478aec

commit c3461a1ad69328498c40542218f476af25478aec
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=abf0509619f09c0ea5350931563012ae3f2a84ff

commit abf0509619f09c0ea5350931563012ae3f2a84ff
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=33d29b6c8744e4e6e9ca69398c75e66fea7ee3ab

commit 33d29b6c8744e4e6e9ca69398c75e66fea7ee3ab
Merge: d2b3902 b5b96c6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:16:07 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d2b3902ab3a56c273b4b0f8ceeafdac43505d564

commit d2b3902ab3a56c273b4b0f8ceeafdac43505d564
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:16:07 2013 -0300

    pop

diff --git a/meta b/meta
index 1907fbf..4f84155 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 6343a1a039c34d3c7408f4bb560c2515343360eb
-Head: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
+Previous: b5b96c66612e157138c818fc8a3efb61be698f64
+Head: 156684c20844d37d6b15b923f58aff88991696a9
 Applied:
   manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
   powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
@@ -24,8 +24,8 @@ Applied:
   manual-document-mt-safety-resource.patch: 42e85e03ab026a86c127b7d0ec7fb94e1a94f75f
   manual-document-mt-safety-search.patch: 974ea38cb1486c677456bd449b95ee18e3e7ecc3
   manual-document-mt-safety-stdio.patch: 156684c20844d37d6b15b923f58aff88991696a9
-  wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
 Unapplied:
+  wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
   wip-manual-document-mt-safety-threads.patch: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b5b96c66612e157138c818fc8a3efb61be698f64

commit b5b96c66612e157138c818fc8a3efb61be698f64
Merge: cd4a235 a51d72b 6343a1a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:16:02 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cd4a235dffc1bc75049f7e08307c6784bd0c4868

commit cd4a235dffc1bc75049f7e08307c6784bd0c4868
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:16:02 2013 -0300

    float

diff --git a/meta b/meta
index 1943013..1907fbf 100644
--- a/meta
+++ b/meta
@@ -1,30 +1,30 @@
 Version: 1
-Previous: 62bbc3d80d58e685b5c3e655681849574ef8b421
-Head: cd940c77f411533af456e9cec1af020887deb9f7
+Previous: 6343a1a039c34d3c7408f4bb560c2515343360eb
+Head: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
 Applied:
-  wip-manual-document-mt-safety-startup.patch: 805b53d0709375c42ca52cdb1b8e1a9e9dc041a1
-  manual-document-mt-safety.patch: 6302ecd89c407c9fa96dd9a6263175c8ef1dee48
-  powerpc-nofpu-sim-note-nothread.patch: ebf259b70d2e3b3122af4e09e78b5112f9160389
-  unused-scalb-is-scalbn.patch: cfe805ba9962e7ecb02cb7d91f07e877fccc1742
-  manual-document-mt-safety-argp.patch: 12aba27e1c96ff9703ea9423bf471fa3f0454616
-  manual-document-mt-safety-arith.patch: d4bc90d431da292824c33273485aab09d0c9ada3
-  manual-document-mt-safety-charset.patch: 71ab9cf6aa2f9992310fda06683ba6db44faff8a
-  manual-document-mt-safety-conf.patch: 0a6834ab437d116e8ebd6d9c7232f1daaf23e892
-  manual-document-mt-safety-crypt.patch: 39e993dc2ae9653217a042eeedfe06456f1c9ea0
-  manual-document-mt-safety-ctype.patch: 7ac8448e6d04eff177c2c665fdcbb07c93a917ad
-  manual-document-mt-safety-debug.patch: 35461a82e984e8751071f7c46c048d911397fb9e
-  manual-document-mt-safety-errno.patch: df11bbcd0fcc1b33c747f8e9cb13d296575e0f3e
-  manual-document-mt-safety-filesys.patch: 833600d06ecc585f1dd82165a6c0af8f0b6e82c2
-  manual-document-mt-safety-getopt.patch: 54959e6a17b3ca7272b56edee5293cea3b346c5f
-  manual-document-mt-safety-job.patch: c25daa987c90bfad25cb4e1273fd92cf71fdf232
-  manual-document-mt-safety-lang.patch: d6fbd9b15e0b0a304a84dd9a10e07d1a7b94ddfa
-  manual-document-mt-safety-libdl.patch: bf1322ac2f5a65a30bc797fa97ba036fa9ded52b
-  manual-document-mt-safety-llio.patch: c42f6feb7f97230157c3ceb687a159b84bb4d7d8
-  wip-manual-document-mt-safety-locale.patch: e8c35213fe8fef0412e66e661ebd802026da720b
-  manual-document-mt-safety-math.patch: 0fd2970206a6c8a76bebacec7637139b2007fb7e
-  manual-document-mt-safety-resource.patch: b01f62db5594863fa7579f21f05ad57104fa679d
-  manual-document-mt-safety-search.patch: fbbed37c987a939b69864e80aa62d0a79af16d45
-  manual-document-mt-safety-stdio.patch: cd940c77f411533af456e9cec1af020887deb9f7
+  manual-document-mt-safety.patch: b636b87be9756886bb0f9f1396c31b42d3f83c23
+  powerpc-nofpu-sim-note-nothread.patch: 22b44b5585a77352a33172a9583ea1e002e1602c
+  unused-scalb-is-scalbn.patch: b290d7167651106f65de65171d52b70c6188329a
+  manual-document-mt-safety-argp.patch: 5604d817c0a7feccf5aa0dfa7cb2d583d86ec65f
+  manual-document-mt-safety-arith.patch: f4268118ff7169b7016697e2344525b93dd6be01
+  manual-document-mt-safety-charset.patch: 2ba73f56d3ec95471df9cefd6db9935ec8bdc4ef
+  manual-document-mt-safety-conf.patch: ada59d4ba350be38e3b5d960053eac19f0c22bf1
+  manual-document-mt-safety-crypt.patch: 06242cab8769046e2c3e9670de0b0e664f9624ef
+  manual-document-mt-safety-ctype.patch: 776df644b03f53de0e1d21d4b6e8df0fb287117e
+  manual-document-mt-safety-debug.patch: 90470ebb84408d72de8a13806b2e84801fbcc026
+  manual-document-mt-safety-errno.patch: 4c83ae2974e8153950355eca983b33e13bad7490
+  manual-document-mt-safety-filesys.patch: 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
+  manual-document-mt-safety-getopt.patch: 178c538fec626552e7ec57072a93b3715623e6ac
+  manual-document-mt-safety-job.patch: 07add391d6215283f7338e451060a144bd241bd9
+  manual-document-mt-safety-lang.patch: 722fae4ea63db2a00f51c08a14d723ad87fd97d9
+  manual-document-mt-safety-libdl.patch: 5830f31e3722b9269c618a39bfd56052c609d711
+  manual-document-mt-safety-llio.patch: f7b80d2460a6a65a292c067bfaf12d714767bcf9
+  wip-manual-document-mt-safety-locale.patch: ad4e6d6ef856e42ce04d66bc8c06c31523edb9bb
+  manual-document-mt-safety-math.patch: 4651ae36240aaaf68cdb47687889274248e1274b
+  manual-document-mt-safety-resource.patch: 42e85e03ab026a86c127b7d0ec7fb94e1a94f75f
+  manual-document-mt-safety-search.patch: 974ea38cb1486c677456bd449b95ee18e3e7ecc3
+  manual-document-mt-safety-stdio.patch: 156684c20844d37d6b15b923f58aff88991696a9
+  wip-manual-document-mt-safety-startup.patch: a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
 Unapplied:
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 482ace8..914e844 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,5 +1,5 @@
-Bottom: 3015208671bba3feaab85a1d0587333944496507
-Top:    3bf770a43ecbc7a48273b81910c72f77782ed1ca
+Bottom: 6ef173fc60a9c842433354081fa0216e4430c1b8
+Top:    206cd625e1e8e8dc3e141cdd29c90772cf35e923
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 21:57:08 -0300
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 49910ab..49b1456 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
-Bottom: 3bf770a43ecbc7a48273b81910c72f77782ed1ca
-Top:    f0342b90632c74b9a721b35d9c95ea85919ae5a4
+Bottom: 206cd625e1e8e8dc3e141cdd29c90772cf35e923
+Top:    260809414e54f35864ab54b52fdbff3517f05f2e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index 9e69579..c4d22ae 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,5 +1,5 @@
-Bottom: f0342b90632c74b9a721b35d9c95ea85919ae5a4
-Top:    e24c4115f83f7eb92649db91634e17593123738e
+Bottom: 260809414e54f35864ab54b52fdbff3517f05f2e
+Top:    0ed3cc03efad5a94ba0a48cd696ec823658ac35b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:01:33 -0300
 
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index 920632a..0db760e 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,5 +1,5 @@
-Bottom: e24c4115f83f7eb92649db91634e17593123738e
-Top:    b5ee8a1d755fc9b47ec6c5b52642ba912dd57f1c
+Bottom: 0ed3cc03efad5a94ba0a48cd696ec823658ac35b
+Top:    621eb53ac8713123406be43ebd474132b7c6e4de
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:16 -0300
 
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index 6f5b2da..20411b6 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,5 +1,5 @@
-Bottom: b5ee8a1d755fc9b47ec6c5b52642ba912dd57f1c
-Top:    8d7d2a6304d608c30830622d547d0885c92e4088
+Bottom: 621eb53ac8713123406be43ebd474132b7c6e4de
+Top:    25551ef91682bea014db1b2031e4dad60a4ba129
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:47 -0300
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index 860831d..8700f8e 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: 8d7d2a6304d608c30830622d547d0885c92e4088
-Top:    b68c41c74be21ce5c0d141f46075c7c4824255a0
+Bottom: 25551ef91682bea014db1b2031e4dad60a4ba129
+Top:    1fe3a56b7e61d235687df61e4d4bded8e7283992
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index bbd624b..2063a20 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,5 +1,5 @@
-Bottom: b68c41c74be21ce5c0d141f46075c7c4824255a0
-Top:    8825d25214af5bd5f5000d77da51dd0136ce4967
+Bottom: 1fe3a56b7e61d235687df61e4d4bded8e7283992
+Top:    5add8b2d9a79567d15e402219a50ddf6704cdcea
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:11 -0300
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index 4c0d22a..7b30386 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,5 +1,5 @@
-Bottom: 8825d25214af5bd5f5000d77da51dd0136ce4967
-Top:    3c15ad10698d40f3a9a3f3cf4d5494cdbb3f36d3
+Bottom: 5add8b2d9a79567d15e402219a50ddf6704cdcea
+Top:    50fd6f363b9af88ae1e05db55cefcd1e41c10123
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:34 -0300
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 27656d8..7b4e146 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
-Bottom: 3c15ad10698d40f3a9a3f3cf4d5494cdbb3f36d3
-Top:    19a289ef47d8b90cc68b095d1ee674a14b6cfcd6
+Bottom: 50fd6f363b9af88ae1e05db55cefcd1e41c10123
+Top:    c0467ea68e04c4b52c9c771dad681e1220291a6a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:03 -0300
 
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index 18640dd..753c8f5 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: 19a289ef47d8b90cc68b095d1ee674a14b6cfcd6
-Top:    e4f410db325f1ed99571de968b979924a181518e
+Bottom: c0467ea68e04c4b52c9c771dad681e1220291a6a
+Top:    18760d732995b8379bc372377398a8fd58732762
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:36 -0300
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index 8683ffe..b4d3b96 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: e4f410db325f1ed99571de968b979924a181518e
-Top:    4ea71e22c9fe558431bb0c09aff41b873f8cb26a
+Bottom: 18760d732995b8379bc372377398a8fd58732762
+Top:    78811ad7f6f34dae902d17fe9939b1ed2877fc8c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index 45c3684..eef82af 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: 4ea71e22c9fe558431bb0c09aff41b873f8cb26a
-Top:    8308f7496ee59e742bc30a47396ed16b09f4ed78
+Bottom: 78811ad7f6f34dae902d17fe9939b1ed2877fc8c
+Top:    95e3af012c2d8222ce9c18f313b200f086405d32
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index f0ef929..51626a1 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: 8308f7496ee59e742bc30a47396ed16b09f4ed78
-Top:    e209dda6062453b563bc99b39fdc7f9a8c570777
+Bottom: 95e3af012c2d8222ce9c18f313b200f086405d32
+Top:    5d6bbf322290ec49c7df2274a5b3ec79d32fd303
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index de6b6dc..274aefd 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: e209dda6062453b563bc99b39fdc7f9a8c570777
-Top:    5f68670b8dd4ad6830a841a3dc70f473f514faaf
+Bottom: 5d6bbf322290ec49c7df2274a5b3ec79d32fd303
+Top:    baf6738652c9240a7ea48273cff318ffb17716d8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index 1d22852..66820ca 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 40bcd99e1057f6cfbf0a4f7686699d08270ed358
-Top:    151392b3790f3070194c6e79b03e9b88b9fb3052
+Bottom: 9a5ec672bda784c35e1f86d0f274cdb9e58f217c
+Top:    d5ba9adc90be6728f409ed99bc36a2fc6e659db0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-resource.patch b/patches/manual-document-mt-safety-resource.patch
index 6cbd7ab..3fa9fb2 100644
--- a/patches/manual-document-mt-safety-resource.patch
+++ b/patches/manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 151392b3790f3070194c6e79b03e9b88b9fb3052
-Top:    fc7b8a7dee8f458b513deaaf4f60d03ca33535c2
+Bottom: d5ba9adc90be6728f409ed99bc36a2fc6e659db0
+Top:    e27f818dd7517eeba6c572017e1d77241113d456
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/manual-document-mt-safety-search.patch b/patches/manual-document-mt-safety-search.patch
index 8e3e36f..fb52bb3 100644
--- a/patches/manual-document-mt-safety-search.patch
+++ b/patches/manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: fc7b8a7dee8f458b513deaaf4f60d03ca33535c2
-Top:    195f80ed20d8cfa61af3b5629d405de8be7b40fc
+Bottom: e27f818dd7517eeba6c572017e1d77241113d456
+Top:    8ae75524ca0a1176e4323c74b73cb0722e710364
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 8b416af..52710b6 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 195f80ed20d8cfa61af3b5629d405de8be7b40fc
-Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
+Bottom: 8ae75524ca0a1176e4323c74b73cb0722e710364
+Top:    a529301c800b3ca93ba927e5d69da7dd7cafbae7
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index 36caa7a..e164c49 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,5 +1,5 @@
-Bottom: 5efab0c449ae83db3aa70ebd97b31e7fb29fe50b
-Top:    72ab4d51f78fd9a15e02a670cc921a59761f3ffb
+Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
+Top:    c59759fbdfb422ada848ebdd3845677059986449
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index a1d126e..7f2c050 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,5 +1,5 @@
-Bottom: 72ab4d51f78fd9a15e02a670cc921a59761f3ffb
-Top:    47b4fcd31a0f1ee3c6e9b10a9512e2afc2975e5f
+Bottom: c59759fbdfb422ada848ebdd3845677059986449
+Top:    a8bc26b023f2d43016f043a1972e12edc1f31f8d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 62fcad2..0fa4208 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,5 +1,5 @@
-Bottom: 47b4fcd31a0f1ee3c6e9b10a9512e2afc2975e5f
-Top:    3015208671bba3feaab85a1d0587333944496507
+Bottom: a8bc26b023f2d43016f043a1972e12edc1f31f8d
+Top:    6ef173fc60a9c842433354081fa0216e4430c1b8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 2c23cb9..6515b05 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: 5f68670b8dd4ad6830a841a3dc70f473f514faaf
-Top:    40bcd99e1057f6cfbf0a4f7686699d08270ed358
+Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
+Top:    9a5ec672bda784c35e1f86d0f274cdb9e58f217c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index 6de832f..0cf63b1 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
-Top:    5efab0c449ae83db3aa70ebd97b31e7fb29fe50b
+Bottom: a529301c800b3ca93ba927e5d69da7dd7cafbae7
+Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a51d72b2f27eae1bcf41a5aeb4718ed837ef2701

commit a51d72b2f27eae1bcf41a5aeb4718ed837ef2701
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=156684c20844d37d6b15b923f58aff88991696a9

commit 156684c20844d37d6b15b923f58aff88991696a9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=974ea38cb1486c677456bd449b95ee18e3e7ecc3

commit 974ea38cb1486c677456bd449b95ee18e3e7ecc3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=42e85e03ab026a86c127b7d0ec7fb94e1a94f75f

commit 42e85e03ab026a86c127b7d0ec7fb94e1a94f75f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=178c538fec626552e7ec57072a93b3715623e6ac

commit 178c538fec626552e7ec57072a93b3715623e6ac
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:36 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=722fae4ea63db2a00f51c08a14d723ad87fd97d9

commit 722fae4ea63db2a00f51c08a14d723ad87fd97d9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f7b80d2460a6a65a292c067bfaf12d714767bcf9

commit f7b80d2460a6a65a292c067bfaf12d714767bcf9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4651ae36240aaaf68cdb47687889274248e1274b

commit 4651ae36240aaaf68cdb47687889274248e1274b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=75c783a7f653a4396cb2f3a1314fac5bda1b5a8f

commit 75c783a7f653a4396cb2f3a1314fac5bda1b5a8f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..2244025 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).  
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=07add391d6215283f7338e451060a144bd241bd9

commit 07add391d6215283f7338e451060a144bd241bd9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5830f31e3722b9269c618a39bfd56052c609d711

commit 5830f31e3722b9269c618a39bfd56052c609d711
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ad4e6d6ef856e42ce04d66bc8c06c31523edb9bb

commit ad4e6d6ef856e42ce04d66bc8c06c31523edb9bb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4c83ae2974e8153950355eca983b33e13bad7490

commit 4c83ae2974e8153950355eca983b33e13bad7490
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=90470ebb84408d72de8a13806b2e84801fbcc026

commit 90470ebb84408d72de8a13806b2e84801fbcc026
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:11 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=776df644b03f53de0e1d21d4b6e8df0fb287117e

commit 776df644b03f53de0e1d21d4b6e8df0fb287117e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=06242cab8769046e2c3e9670de0b0e664f9624ef

commit 06242cab8769046e2c3e9670de0b0e664f9624ef
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ada59d4ba350be38e3b5d960053eac19f0c22bf1

commit ada59d4ba350be38e3b5d960053eac19f0c22bf1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:16 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2ba73f56d3ec95471df9cefd6db9935ec8bdc4ef

commit 2ba73f56d3ec95471df9cefd6db9935ec8bdc4ef
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d2ce932c7ce9c31c4b085c61c43ac8e637713dcd

commit d2ce932c7ce9c31c4b085c61c43ac8e637713dcd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..d183e12 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,412 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards that could guarantee consistency.  To
+ensure MT- and AS-Safe behavior, callers must ensure that the objects
+passed in are not modified concurrently by other threads or signal
+handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+properties we documented are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2bd5708daeac2ff089c6eebd6944f4ced306e4d8

commit 2bd5708daeac2ff089c6eebd6944f4ced306e4d8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..07f27c9 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,411 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards to ensure consistency.  To ensure MT- and
+AS-Safe behavior, callers must ensure that the objects passed in are not
+modified concurrently by other threads or signal handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+propertes we documentated are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b636b87be9756886bb0f9f1396c31b42d3f83c23

commit b636b87be9756886bb0f9f1396c31b42d3f83c23
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..e47832c 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,411 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item 
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item 
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item 
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards to ensure consistency.  To ensure MT- and
+AS-Safe behavior, callers must ensure that the objects passed in are not
+modified concurrently by other threads or signal handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.  
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.  
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+propertes we documentated are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f4268118ff7169b7016697e2344525b93dd6be01

commit f4268118ff7169b7016697e2344525b93dd6be01
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.  
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5604d817c0a7feccf5aa0dfa7cb2d583d86ec65f

commit 5604d817c0a7feccf5aa0dfa7cb2d583d86ec65f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b290d7167651106f65de65171d52b70c6188329a

commit b290d7167651106f65de65171d52b70c6188329a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=22b44b5585a77352a33172a9583ea1e002e1602c

commit 22b44b5585a77352a33172a9583ea1e002e1602c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
index fc061d0..e167033 100644
--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
@@ -21,6 +21,11 @@
 #include "soft-fp.h"
 #include "soft-supp.h"
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 /* Global to store sticky exceptions.  */
 int __sim_exceptions __attribute__ ((nocommon));
 libc_hidden_data_def (__sim_exceptions);
diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
index b9638bb..64a3d2a 100644
--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
@@ -26,6 +26,11 @@ typedef union
 } fenv_union_t;
 
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;
diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
index c2a190e..508d869 100644
--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
@@ -54,6 +54,11 @@
 #define FP_ROUNDMODE          __sim_round_mode
 #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6343a1a039c34d3c7408f4bb560c2515343360eb

commit 6343a1a039c34d3c7408f4bb560c2515343360eb
Merge: 52c6e12 cd940c7 62bbc3d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:15:47 2013 -0300

    sink


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=52c6e12e2a8d569f205756903cc1d228dcc428e5

commit 52c6e12e2a8d569f205756903cc1d228dcc428e5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:15:47 2013 -0300

    sink

diff --git a/meta b/meta
index 0ca07b4..1943013 100644
--- a/meta
+++ b/meta
@@ -1,30 +1,30 @@
 Version: 1
-Previous: dd7582572f4b13b728b2961d9fffe5f522a89528
-Head: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
+Previous: 62bbc3d80d58e685b5c3e655681849574ef8b421
+Head: cd940c77f411533af456e9cec1af020887deb9f7
 Applied:
-  manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
-  powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
-  unused-scalb-is-scalbn.patch: 62694b21850cd676e82306bc82418b952b9d3d31
-  manual-document-mt-safety-argp.patch: 8b86b0ead9b1494ad7b0aa283a423813ed5e8bc7
-  manual-document-mt-safety-arith.patch: 5a1a8a43ebaa9cc6a6dc182bd931fbca63e7d866
-  manual-document-mt-safety-charset.patch: 296ae41496afc524f6f75648a3298a5419b46990
-  manual-document-mt-safety-conf.patch: 95b0911edf2eb244430d9533ec0a8a3f7058581c
-  manual-document-mt-safety-crypt.patch: e600904c5eab885a1a7c8aef6bb2f570bd201275
-  manual-document-mt-safety-ctype.patch: 727a9c49e98194570a2c85e47c355bcc55398cd9
-  manual-document-mt-safety-debug.patch: 7f89734934ba539d84fdf02163f64ae84f795ac9
-  manual-document-mt-safety-errno.patch: b035d6eeb7b48636043919617d515c88522ba6c3
-  manual-document-mt-safety-filesys.patch: d1d06a086358b876405130714e2c5cf0d7740ab8
-  manual-document-mt-safety-getopt.patch: c48dff451b9a543c5f827092417468a0d6672c59
-  manual-document-mt-safety-job.patch: 138c83afb5f7d92dcac1049f150b154d43addda2
-  manual-document-mt-safety-lang.patch: a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
-  manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
-  manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
-  wip-manual-document-mt-safety-locale.patch: 26ea2d6064d2c298f6270e127600518ef48d28cf
-  manual-document-mt-safety-math.patch: d3dde95c92ff8c7cd8e225a21b46c00449db834d
-  manual-document-mt-safety-resource.patch: 5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d
-  manual-document-mt-safety-search.patch: 72885eef5a5c94642ef40c16b2838f314908e7da
-  wip-manual-document-mt-safety-startup.patch: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
-  manual-document-mt-safety-stdio.patch: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
+  wip-manual-document-mt-safety-startup.patch: 805b53d0709375c42ca52cdb1b8e1a9e9dc041a1
+  manual-document-mt-safety.patch: 6302ecd89c407c9fa96dd9a6263175c8ef1dee48
+  powerpc-nofpu-sim-note-nothread.patch: ebf259b70d2e3b3122af4e09e78b5112f9160389
+  unused-scalb-is-scalbn.patch: cfe805ba9962e7ecb02cb7d91f07e877fccc1742
+  manual-document-mt-safety-argp.patch: 12aba27e1c96ff9703ea9423bf471fa3f0454616
+  manual-document-mt-safety-arith.patch: d4bc90d431da292824c33273485aab09d0c9ada3
+  manual-document-mt-safety-charset.patch: 71ab9cf6aa2f9992310fda06683ba6db44faff8a
+  manual-document-mt-safety-conf.patch: 0a6834ab437d116e8ebd6d9c7232f1daaf23e892
+  manual-document-mt-safety-crypt.patch: 39e993dc2ae9653217a042eeedfe06456f1c9ea0
+  manual-document-mt-safety-ctype.patch: 7ac8448e6d04eff177c2c665fdcbb07c93a917ad
+  manual-document-mt-safety-debug.patch: 35461a82e984e8751071f7c46c048d911397fb9e
+  manual-document-mt-safety-errno.patch: df11bbcd0fcc1b33c747f8e9cb13d296575e0f3e
+  manual-document-mt-safety-filesys.patch: 833600d06ecc585f1dd82165a6c0af8f0b6e82c2
+  manual-document-mt-safety-getopt.patch: 54959e6a17b3ca7272b56edee5293cea3b346c5f
+  manual-document-mt-safety-job.patch: c25daa987c90bfad25cb4e1273fd92cf71fdf232
+  manual-document-mt-safety-lang.patch: d6fbd9b15e0b0a304a84dd9a10e07d1a7b94ddfa
+  manual-document-mt-safety-libdl.patch: bf1322ac2f5a65a30bc797fa97ba036fa9ded52b
+  manual-document-mt-safety-llio.patch: c42f6feb7f97230157c3ceb687a159b84bb4d7d8
+  wip-manual-document-mt-safety-locale.patch: e8c35213fe8fef0412e66e661ebd802026da720b
+  manual-document-mt-safety-math.patch: 0fd2970206a6c8a76bebacec7637139b2007fb7e
+  manual-document-mt-safety-resource.patch: b01f62db5594863fa7579f21f05ad57104fa679d
+  manual-document-mt-safety-search.patch: fbbed37c987a939b69864e80aa62d0a79af16d45
+  manual-document-mt-safety-stdio.patch: cd940c77f411533af456e9cec1af020887deb9f7
 Unapplied:
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 914e844..482ace8 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,5 +1,5 @@
-Bottom: 6ef173fc60a9c842433354081fa0216e4430c1b8
-Top:    206cd625e1e8e8dc3e141cdd29c90772cf35e923
+Bottom: 3015208671bba3feaab85a1d0587333944496507
+Top:    3bf770a43ecbc7a48273b81910c72f77782ed1ca
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 21:57:08 -0300
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 49b1456..49910ab 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
-Bottom: 206cd625e1e8e8dc3e141cdd29c90772cf35e923
-Top:    260809414e54f35864ab54b52fdbff3517f05f2e
+Bottom: 3bf770a43ecbc7a48273b81910c72f77782ed1ca
+Top:    f0342b90632c74b9a721b35d9c95ea85919ae5a4
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index c4d22ae..9e69579 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,5 +1,5 @@
-Bottom: 260809414e54f35864ab54b52fdbff3517f05f2e
-Top:    0ed3cc03efad5a94ba0a48cd696ec823658ac35b
+Bottom: f0342b90632c74b9a721b35d9c95ea85919ae5a4
+Top:    e24c4115f83f7eb92649db91634e17593123738e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:01:33 -0300
 
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index 0db760e..920632a 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,5 +1,5 @@
-Bottom: 0ed3cc03efad5a94ba0a48cd696ec823658ac35b
-Top:    621eb53ac8713123406be43ebd474132b7c6e4de
+Bottom: e24c4115f83f7eb92649db91634e17593123738e
+Top:    b5ee8a1d755fc9b47ec6c5b52642ba912dd57f1c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:16 -0300
 
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index 20411b6..6f5b2da 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,5 +1,5 @@
-Bottom: 621eb53ac8713123406be43ebd474132b7c6e4de
-Top:    25551ef91682bea014db1b2031e4dad60a4ba129
+Bottom: b5ee8a1d755fc9b47ec6c5b52642ba912dd57f1c
+Top:    8d7d2a6304d608c30830622d547d0885c92e4088
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:47 -0300
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index 8700f8e..860831d 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: 25551ef91682bea014db1b2031e4dad60a4ba129
-Top:    1fe3a56b7e61d235687df61e4d4bded8e7283992
+Bottom: 8d7d2a6304d608c30830622d547d0885c92e4088
+Top:    b68c41c74be21ce5c0d141f46075c7c4824255a0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index 2063a20..bbd624b 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,5 +1,5 @@
-Bottom: 1fe3a56b7e61d235687df61e4d4bded8e7283992
-Top:    5add8b2d9a79567d15e402219a50ddf6704cdcea
+Bottom: b68c41c74be21ce5c0d141f46075c7c4824255a0
+Top:    8825d25214af5bd5f5000d77da51dd0136ce4967
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:11 -0300
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index 7b30386..4c0d22a 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,5 +1,5 @@
-Bottom: 5add8b2d9a79567d15e402219a50ddf6704cdcea
-Top:    50fd6f363b9af88ae1e05db55cefcd1e41c10123
+Bottom: 8825d25214af5bd5f5000d77da51dd0136ce4967
+Top:    3c15ad10698d40f3a9a3f3cf4d5494cdbb3f36d3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:34 -0300
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 7b4e146..27656d8 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
-Bottom: 50fd6f363b9af88ae1e05db55cefcd1e41c10123
-Top:    c0467ea68e04c4b52c9c771dad681e1220291a6a
+Bottom: 3c15ad10698d40f3a9a3f3cf4d5494cdbb3f36d3
+Top:    19a289ef47d8b90cc68b095d1ee674a14b6cfcd6
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:03 -0300
 
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index 753c8f5..18640dd 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: c0467ea68e04c4b52c9c771dad681e1220291a6a
-Top:    18760d732995b8379bc372377398a8fd58732762
+Bottom: 19a289ef47d8b90cc68b095d1ee674a14b6cfcd6
+Top:    e4f410db325f1ed99571de968b979924a181518e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:36 -0300
 
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
index b4d3b96..8683ffe 100644
--- a/patches/manual-document-mt-safety-job.patch
+++ b/patches/manual-document-mt-safety-job.patch
@@ -1,5 +1,5 @@
-Bottom: 18760d732995b8379bc372377398a8fd58732762
-Top:    78811ad7f6f34dae902d17fe9939b1ed2877fc8c
+Bottom: e4f410db325f1ed99571de968b979924a181518e
+Top:    4ea71e22c9fe558431bb0c09aff41b873f8cb26a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:15 -0300
 
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
index eef82af..45c3684 100644
--- a/patches/manual-document-mt-safety-lang.patch
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -1,5 +1,5 @@
-Bottom: 78811ad7f6f34dae902d17fe9939b1ed2877fc8c
-Top:    95e3af012c2d8222ce9c18f313b200f086405d32
+Bottom: 4ea71e22c9fe558431bb0c09aff41b873f8cb26a
+Top:    8308f7496ee59e742bc30a47396ed16b09f4ed78
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:32 -0300
 
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
index 51626a1..f0ef929 100644
--- a/patches/manual-document-mt-safety-libdl.patch
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -1,5 +1,5 @@
-Bottom: 95e3af012c2d8222ce9c18f313b200f086405d32
-Top:    5d6bbf322290ec49c7df2274a5b3ec79d32fd303
+Bottom: 8308f7496ee59e742bc30a47396ed16b09f4ed78
+Top:    e209dda6062453b563bc99b39fdc7f9a8c570777
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:08:59 -0300
 
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
index 274aefd..de6b6dc 100644
--- a/patches/manual-document-mt-safety-llio.patch
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -1,5 +1,5 @@
-Bottom: 5d6bbf322290ec49c7df2274a5b3ec79d32fd303
-Top:    baf6738652c9240a7ea48273cff318ffb17716d8
+Bottom: e209dda6062453b563bc99b39fdc7f9a8c570777
+Top:    5f68670b8dd4ad6830a841a3dc70f473f514faaf
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:09:32 -0300
 
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index 66820ca..1d22852 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 9a5ec672bda784c35e1f86d0f274cdb9e58f217c
-Top:    d5ba9adc90be6728f409ed99bc36a2fc6e659db0
+Bottom: 40bcd99e1057f6cfbf0a4f7686699d08270ed358
+Top:    151392b3790f3070194c6e79b03e9b88b9fb3052
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-resource.patch b/patches/manual-document-mt-safety-resource.patch
index 3fa9fb2..6cbd7ab 100644
--- a/patches/manual-document-mt-safety-resource.patch
+++ b/patches/manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: d5ba9adc90be6728f409ed99bc36a2fc6e659db0
-Top:    e27f818dd7517eeba6c572017e1d77241113d456
+Bottom: 151392b3790f3070194c6e79b03e9b88b9fb3052
+Top:    fc7b8a7dee8f458b513deaaf4f60d03ca33535c2
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 
diff --git a/patches/manual-document-mt-safety-search.patch b/patches/manual-document-mt-safety-search.patch
index fb52bb3..8e3e36f 100644
--- a/patches/manual-document-mt-safety-search.patch
+++ b/patches/manual-document-mt-safety-search.patch
@@ -1,5 +1,5 @@
-Bottom: e27f818dd7517eeba6c572017e1d77241113d456
-Top:    8ae75524ca0a1176e4323c74b73cb0722e710364
+Bottom: fc7b8a7dee8f458b513deaaf4f60d03ca33535c2
+Top:    195f80ed20d8cfa61af3b5629d405de8be7b40fc
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:55 -0300
 
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index e164c49..36caa7a 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,5 +1,5 @@
-Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
-Top:    c59759fbdfb422ada848ebdd3845677059986449
+Bottom: 5efab0c449ae83db3aa70ebd97b31e7fb29fe50b
+Top:    72ab4d51f78fd9a15e02a670cc921a59761f3ffb
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index 7f2c050..a1d126e 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,5 +1,5 @@
-Bottom: c59759fbdfb422ada848ebdd3845677059986449
-Top:    a8bc26b023f2d43016f043a1972e12edc1f31f8d
+Bottom: 72ab4d51f78fd9a15e02a670cc921a59761f3ffb
+Top:    47b4fcd31a0f1ee3c6e9b10a9512e2afc2975e5f
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 0fa4208..62fcad2 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,5 +1,5 @@
-Bottom: a8bc26b023f2d43016f043a1972e12edc1f31f8d
-Top:    6ef173fc60a9c842433354081fa0216e4430c1b8
+Bottom: 47b4fcd31a0f1ee3c6e9b10a9512e2afc2975e5f
+Top:    3015208671bba3feaab85a1d0587333944496507
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 6515b05..2c23cb9 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
-Top:    9a5ec672bda784c35e1f86d0f274cdb9e58f217c
+Bottom: 5f68670b8dd4ad6830a841a3dc70f473f514faaf
+Top:    40bcd99e1057f6cfbf0a4f7686699d08270ed358
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
index cd2fcf0..6de832f 100644
--- a/patches/wip-manual-document-mt-safety-startup.patch
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -1,5 +1,5 @@
-Bottom: 8ae75524ca0a1176e4323c74b73cb0722e710364
-Top:    195f80ed20d8cfa61af3b5629d405de8be7b40fc
+Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
+Top:    5efab0c449ae83db3aa70ebd97b31e7fb29fe50b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:12:28 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cd940c77f411533af456e9cec1af020887deb9f7

commit cd940c77f411533af456e9cec1af020887deb9f7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fbbed37c987a939b69864e80aa62d0a79af16d45

commit fbbed37c987a939b69864e80aa62d0a79af16d45
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b01f62db5594863fa7579f21f05ad57104fa679d

commit b01f62db5594863fa7579f21f05ad57104fa679d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0fd2970206a6c8a76bebacec7637139b2007fb7e

commit 0fd2970206a6c8a76bebacec7637139b2007fb7e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e8c35213fe8fef0412e66e661ebd802026da720b

commit e8c35213fe8fef0412e66e661ebd802026da720b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c42f6feb7f97230157c3ceb687a159b84bb4d7d8

commit c42f6feb7f97230157c3ceb687a159b84bb4d7d8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bf1322ac2f5a65a30bc797fa97ba036fa9ded52b

commit bf1322ac2f5a65a30bc797fa97ba036fa9ded52b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d6fbd9b15e0b0a304a84dd9a10e07d1a7b94ddfa

commit d6fbd9b15e0b0a304a84dd9a10e07d1a7b94ddfa
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c25daa987c90bfad25cb4e1273fd92cf71fdf232

commit c25daa987c90bfad25cb4e1273fd92cf71fdf232
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=54959e6a17b3ca7272b56edee5293cea3b346c5f

commit 54959e6a17b3ca7272b56edee5293cea3b346c5f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:36 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=833600d06ecc585f1dd82165a6c0af8f0b6e82c2

commit 833600d06ecc585f1dd82165a6c0af8f0b6e82c2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..2244025 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).  
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=df11bbcd0fcc1b33c747f8e9cb13d296575e0f3e

commit df11bbcd0fcc1b33c747f8e9cb13d296575e0f3e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=35461a82e984e8751071f7c46c048d911397fb9e

commit 35461a82e984e8751071f7c46c048d911397fb9e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:11 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7ac8448e6d04eff177c2c665fdcbb07c93a917ad

commit 7ac8448e6d04eff177c2c665fdcbb07c93a917ad
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=39e993dc2ae9653217a042eeedfe06456f1c9ea0

commit 39e993dc2ae9653217a042eeedfe06456f1c9ea0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0a6834ab437d116e8ebd6d9c7232f1daaf23e892

commit 0a6834ab437d116e8ebd6d9c7232f1daaf23e892
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:16 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=71ab9cf6aa2f9992310fda06683ba6db44faff8a

commit 71ab9cf6aa2f9992310fda06683ba6db44faff8a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d4bc90d431da292824c33273485aab09d0c9ada3

commit d4bc90d431da292824c33273485aab09d0c9ada3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.  
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=12aba27e1c96ff9703ea9423bf471fa3f0454616

commit 12aba27e1c96ff9703ea9423bf471fa3f0454616
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cfe805ba9962e7ecb02cb7d91f07e877fccc1742

commit cfe805ba9962e7ecb02cb7d91f07e877fccc1742
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ebf259b70d2e3b3122af4e09e78b5112f9160389

commit ebf259b70d2e3b3122af4e09e78b5112f9160389
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
index fc061d0..e167033 100644
--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
@@ -21,6 +21,11 @@
 #include "soft-fp.h"
 #include "soft-supp.h"
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 /* Global to store sticky exceptions.  */
 int __sim_exceptions __attribute__ ((nocommon));
 libc_hidden_data_def (__sim_exceptions);
diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
index b9638bb..64a3d2a 100644
--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
@@ -26,6 +26,11 @@ typedef union
 } fenv_union_t;
 
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;
diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
index c2a190e..508d869 100644
--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
@@ -54,6 +54,11 @@
 #define FP_ROUNDMODE          __sim_round_mode
 #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6302ecd89c407c9fa96dd9a6263175c8ef1dee48

commit 6302ecd89c407c9fa96dd9a6263175c8ef1dee48
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..e47832c 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,411 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item 
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item 
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item 
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards to ensure consistency.  To ensure MT- and
+AS-Safe behavior, callers must ensure that the objects passed in are not
+modified concurrently by other threads or signal handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.  
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.  
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+propertes we documentated are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=805b53d0709375c42ca52cdb1b8e1a9e9dc041a1

commit 805b53d0709375c42ca52cdb1b8e1a9e9dc041a1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=62bbc3d80d58e685b5c3e655681849574ef8b421

commit 62bbc3d80d58e685b5c3e655681849574ef8b421
Merge: 0e55a9c dd75825
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:15:37 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0e55a9c6ec47f13061f558ee8470974665beab5d

commit 0e55a9c6ec47f13061f558ee8470974665beab5d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:15:37 2013 -0300

    pop

diff --git a/meta b/meta
index 67b2216..0ca07b4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 20f589de14be98a69a13023b7d7b978a7098b118
-Head: 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
+Previous: dd7582572f4b13b728b2961d9fffe5f522a89528
+Head: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -25,9 +25,9 @@ Applied:
   manual-document-mt-safety-search.patch: 72885eef5a5c94642ef40c16b2838f314908e7da
   wip-manual-document-mt-safety-startup.patch: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
   manual-document-mt-safety-stdio.patch: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
+Unapplied:
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
   wip-manual-document-mt-safety-threads.patch: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
   wip-manual-document-mt-safety-time.patch: 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dd7582572f4b13b728b2961d9fffe5f522a89528

commit dd7582572f4b13b728b2961d9fffe5f522a89528
Merge: e6a6049 20f589d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:15:16 2013 -0300

    delete


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e6a6049d014d552c0cf6925f4b29c47e927b4e28

commit e6a6049d014d552c0cf6925f4b29c47e927b4e28
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:15:16 2013 -0300

    delete

diff --git a/meta b/meta
index 6208427..67b2216 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 3152fe9b71d25e5a079af8a12b1ab66c69174413
-Head: 4fbc047902ffe2e52e83f768573b9b8b0cdd8e7c
+Previous: 20f589de14be98a69a13023b7d7b978a7098b118
+Head: 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -29,6 +29,5 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
   wip-manual-document-mt-safety-threads.patch: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
   wip-manual-document-mt-safety-time.patch: 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
-  manual-document-mt-safety-wip.patch: 4fbc047902ffe2e52e83f768573b9b8b0cdd8e7c
 Unapplied:
 Hidden:
diff --git a/patches/manual-document-mt-safety-wip.patch b/patches/manual-document-mt-safety-wip.patch
deleted file mode 100644
index 46ded4a..0000000
--- a/patches/manual-document-mt-safety-wip.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Bottom: 7472b1dd7a8cc8760b98cd08cb7f8418374249ed
-Top:    7472b1dd7a8cc8760b98cd08cb7f8418374249ed
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:41 -0300
-
-Thread safety documentation.
-
-for ChangeLog
-
-	* manual/???.texi: Document thread safety properties.
-
-
----
-
-

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=20f589de14be98a69a13023b7d7b978a7098b118

commit 20f589de14be98a69a13023b7d7b978a7098b118
Merge: 9f26d9d 4fbc047 3152fe9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:15:04 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9f26d9d88a728ee83429283429062fd7da5352ec

commit 9f26d9d88a728ee83429283429062fd7da5352ec
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:15:04 2013 -0300

    push

diff --git a/meta b/meta
index 2ab621e..6208427 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 32cc08f6887f254257307044a1da7e83889300d8
-Head: 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
+Previous: 3152fe9b71d25e5a079af8a12b1ab66c69174413
+Head: 4fbc047902ffe2e52e83f768573b9b8b0cdd8e7c
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -29,6 +29,6 @@ Applied:
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
   wip-manual-document-mt-safety-threads.patch: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
   wip-manual-document-mt-safety-time.patch: 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
+  manual-document-mt-safety-wip.patch: 4fbc047902ffe2e52e83f768573b9b8b0cdd8e7c
 Unapplied:
-  manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/manual-document-mt-safety-wip.patch b/patches/manual-document-mt-safety-wip.patch
index 0350f71..46ded4a 100644
--- a/patches/manual-document-mt-safety-wip.patch
+++ b/patches/manual-document-mt-safety-wip.patch
@@ -1,4 +1,4 @@
-Bottom: edfbd2bf9a8a7592b48fc6ddfd6dd6a196355d21
+Bottom: 7472b1dd7a8cc8760b98cd08cb7f8418374249ed
 Top:    7472b1dd7a8cc8760b98cd08cb7f8418374249ed
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
@@ -12,1296 +12,4 @@ for ChangeLog
 
 ---
 
-diff --git a/manual/job.texi b/manual/job.texi
-index 4efeed3..779ea96 100644
---- a/manual/job.texi
-+++ b/manual/job.texi
-@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
- @comment stdio.h
- @comment POSIX.1
- @deftypefun {char *} ctermid (char *@var{string})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This function is a stub by default; the actual implementation, for
-+@c posix systems, returns an internal buffer if passed a NULL string,
-+@c but the internal buffer is always set to /dev/tty.
- The @code{ctermid} function returns a string containing the file name of
- the controlling terminal for the current process.  If @var{string} is
- not a null pointer, it should be an array that can hold at least
-@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
- @comment unistd.h
- @comment POSIX.1
- @deftypefun pid_t setsid (void)
-+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
-+@c This is usually a direct syscall, but if a syscall is not available,
-+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
-+@c uses a mutex and a hurd critical section, and the latter issues a few
-+@c syscalls, so both seem safe, except for the locking on Hurd.
- The @code{setsid} function creates a new session.  The calling process
- becomes the session leader, and is put in a new process group whose
- process group ID is the same as the process ID of that process.  There
-@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
- @comment unistd.h
- @comment SVID
- @deftypefun pid_t getsid (pid_t @var{pid})
--
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Stub or direct syscall, except on hurd, where it is equally safe.
- The @code{getsid} function returns the process group ID of the session
- leader of the specified process.  If a @var{pid} is @code{0}, the
- process group ID of the session leader of the current process is
-@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
- @comment unistd.h
- @comment POSIX.1
- @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Wrapper for getpgid.
- The POSIX.1 definition of @code{getpgrp} returns the process group ID of
- the calling process.
- @end deftypefn
-@@ -1141,6 +1153,8 @@ the calling process.
- @comment unistd.h
- @comment BSD
- @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Wrapper for getpgid.
- The BSD definition of @code{getpgrp} returns the process group ID of the
- process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
- argument to get information about the calling process.
-@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
- @comment unistd.h
- @comment SVID
- @deftypefn {System V Function} int getpgid (pid_t @var{pid})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Stub or direct syscall, except on hurd, where it is equally safe.
- 
- @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
- returns the process group ID of the process @var{pid}.  You can supply a
-@@ -1171,6 +1187,8 @@ process.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Stub or direct syscall, except on hurd, where it is equally safe.
- The @code{setpgid} function puts the process @var{pid} into the process
- group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
- be zero to indicate the process ID of the calling process.
-@@ -1208,6 +1226,8 @@ process or a child of the calling process.
- @comment unistd.h
- @comment BSD
- @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Direct syscall or setpgid wrapper.
- This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
- the same thing.
- @end deftypefun
-@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun pid_t tcgetpgrp (int @var{filedes})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Stub, or ioctl on BSD and GNU/Linux.
- This function returns the process group ID of the foreground process
- group associated with the terminal open on descriptor @var{filedes}.
- 
-@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Stub, or ioctl on BSD and GNU/Linux.
- This function is used to set a terminal's foreground process group ID.
- The argument @var{filedes} is a descriptor which specifies the terminal;
- @var{pgid} specifies the process group.  The calling process must be a
-@@ -1297,6 +1321,8 @@ process.
- @comment termios.h
- @comment Unix98
- @deftypefun pid_t tcgetsid (int @var{fildes})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
- This function is used to obtain the process group ID of the session
- for which the terminal specified by @var{fildes} is the controlling terminal.
- If the call is successful the group ID is returned.  Otherwise the
-diff --git a/manual/lang.texi b/manual/lang.texi
-index ee04e23..d6cd90c 100644
---- a/manual/lang.texi
-+++ b/manual/lang.texi
-@@ -51,6 +51,8 @@ without indicating anything might be wrong.
- @comment assert.h
- @comment ISO
- @deftypefn Macro void assert (int @var{expression})
-+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
-+@c assert_fail_base calls asprintf, and fflushes stderr.
- Verify the programmer's belief that @var{expression} is nonzero at
- this point in the program.
- 
-@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
- @comment assert.h
- @comment GNU
- @deftypefn Macro void assert_perror (int @var{errnum})
-+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
-+@c assert_fail_base calls asprintf, and fflushes stderr.
- Similar to @code{assert}, but verifies that @var{errnum} is zero.
- 
- If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
-@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
- @comment stdarg.h
- @comment ISO
- @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This is no longer provided by glibc, but rather by the compiler.
- This macro initializes the argument pointer variable @var{ap} to point
- to the first of the optional arguments of the current function;
- @var{last-required} must be the last required argument to the function.
-@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
- @comment stdarg.h
- @comment ISO
- @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This is no longer provided by glibc, but rather by the compiler.
- The @code{va_arg} macro returns the value of the next optional argument,
- and modifies the value of @var{ap} to point to the subsequent argument.
- Thus, successive uses of @code{va_arg} return successive optional
-@@ -445,6 +453,8 @@ of the actual argument.
- @comment stdarg.h
- @comment ISO
- @deftypefn {Macro} void va_end (va_list @var{ap})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This is no longer provided by glibc, but rather by the compiler.
- This ends the use of @var{ap}.  After a @code{va_end} call, further
- @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
- @code{va_end} before returning from the function in which @code{va_start}
-@@ -466,6 +476,8 @@ of the same type.
- @comment ISO
- @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
- @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This is no longer provided by glibc, but rather by the compiler.
- The @code{va_copy} macro allows copying of objects of type
- @code{va_list} even if this is not an integral type.  The argument pointer
- in @var{dest} is initialized to point to the same argument as the
-@@ -1212,6 +1224,8 @@ type of a particular structure member.
- @comment stddef.h
- @comment ISO
- @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This is no longer provided by glibc, but rather by the compiler.
- This expands to a integer constant expression that is the offset of the
- structure member named @var{member} in the structure type @var{type}.
- For example, @code{offsetof (struct s, elem)} is the offset, in bytes,
-diff --git a/manual/libdl.texi b/manual/libdl.texi
-new file mode 100644
-index 0000000..e3fe045
---- /dev/null
-+++ b/manual/libdl.texi
-@@ -0,0 +1,10 @@
-+@c FIXME these are undocumented:
-+@c dladdr
-+@c dladdr1
-+@c dlclose
-+@c dlerror
-+@c dlinfo
-+@c dlmopen
-+@c dlopen
-+@c dlsym
-+@c dlvsym
-diff --git a/manual/llio.texi b/manual/llio.texi
-index b129cf4..66370c4 100644
---- a/manual/llio.texi
-+++ b/manual/llio.texi
-@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
- @comment fcntl.h
- @comment POSIX.1
- @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
-+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
- The @code{open} function creates and returns a new file descriptor for
- the file named by @var{filename}.  Initially, the file position
- indicator for the file is at the beginning of the file.  The argument
-@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
- @comment fcntl.h
- @comment Unix98
- @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
-+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
- This function is similar to @code{open}.  It returns a file descriptor
- which can be used to access the file named by @var{filename}.  The only
- difference is that on 32 bit systems the file is opened in the
-@@ -178,6 +180,7 @@ replaces the old API.
- @comment fcntl.h
- @comment POSIX.1
- @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
- This function is obsolete.  The call:
- 
- @smallexample
-@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
- @comment fcntl.h
- @comment Unix98
- @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
- This function is similar to @code{creat}.  It returns a file descriptor
- which can be used to access the file named by @var{filename}.  The only
- the difference is that on 32 bit systems the file is opened in the
-@@ -219,6 +223,7 @@ replaces the old API.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int close (int @var{filedes})
-+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
- The function @code{close} closes the file descriptor @var{filedes}.
- Closing a file has the following consequences:
- 
-@@ -300,6 +305,7 @@ but must be a signed type.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{read} function reads up to @var{size} bytes from the file
- with descriptor @var{filedes}, storing the results in the @var{buffer}.
- (This is not necessarily a character string, and no terminating null
-@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
- @comment unistd.h
- @comment Unix98
- @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
-+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
-+@c used anywhere?
- The @code{pread} function is similar to the @code{read} function.  The
- first three arguments are identical, and the return values and error
- codes also correspond.
-@@ -430,6 +440,10 @@ version 2.
- @comment unistd.h
- @comment Unix98
- @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
-+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
-+@c it used anywhere?
- This function is similar to the @code{pread} function.  The difference
- is that the @var{offset} parameter is of type @code{off64_t} instead of
- @code{off_t} which makes it possible on 32 bit machines to address
-@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
- @comment unistd.h
- @comment POSIX.1
- @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{write} function writes up to @var{size} bytes from
- @var{buffer} to the file with descriptor @var{filedes}.  The data in
- @var{buffer} is not necessarily a character string and a null character is
-@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
- @comment unistd.h
- @comment Unix98
- @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
-+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
-+@c used anywhere?
- The @code{pwrite} function is similar to the @code{write} function.  The
- first three arguments are identical, and the return values and error codes
- also correspond.
-@@ -592,6 +611,10 @@ version 2.
- @comment unistd.h
- @comment Unix98
- @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
-+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
-+@c is it used anywhere?
- This function is similar to the @code{pwrite} function.  The difference
- is that the @var{offset} parameter is of type @code{off64_t} instead of
- @code{off_t} which makes it possible on 32 bit machines to address
-@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
- @comment unistd.h
- @comment POSIX.1
- @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{lseek} function is used to change the file position of the
- file with descriptor @var{filedes}.
- 
-@@ -713,6 +737,7 @@ descriptors.
- @comment unistd.h
- @comment Unix98
- @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is similar to the @code{lseek} function.  The difference
- is that the @var{offset} parameter is of type @code{off64_t} instead of
- @code{off_t} which makes it possible on 32 bit machines to address
-@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
- @comment stdio.h
- @comment POSIX.1
- @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
- The @code{fdopen} function returns a new stream for the file descriptor
- @var{filedes}.
- 
-@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
- @comment stdio.h
- @comment POSIX.1
- @deftypefun int fileno (FILE *@var{stream})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function returns the file descriptor associated with the stream
- @var{stream}.  If an error is detected (for example, if the @var{stream}
- is not valid) or if @var{stream} does not do I/O to a file,
-@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
- @comment stdio.h
- @comment GNU
- @deftypefun int fileno_unlocked (FILE *@var{stream})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{fileno_unlocked} function is equivalent to the @code{fileno}
- function except that it does not implicitly lock the stream if the state
- is @code{FSETLOCKING_INTERNAL}.
-@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
- @comment sys/uio.h
- @comment BSD
- @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
--
-+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
-+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
-+@c with old kernels that lack a full readv/writev implementation, may
-+@c malloc the buffer into which data is read, if the total read size is
-+@c too large for alloca.
- The @code{readv} function reads data from @var{filedes} and scatters it
- into the buffers described in @var{vector}, which is taken to be
- @var{count} structures long.  As each buffer is filled, data is sent to the
-@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
- @comment sys/uio.h
- @comment BSD
- @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
-+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
-+@c with old kernels that lack a full readv/writev implementation, may
-+@c malloc the buffer from which data is written, if the total write size
-+@c is too large for alloca.
- 
- The @code{writev} function gathers data from the buffers described in
- @var{vector}, which is taken to be @var{count} structures long, and writes
-@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
- @comment sys/mman.h
- @comment POSIX
- @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- The @code{mmap} function creates a new mapping, connected to bytes
- (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
-@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
- @comment sys/mman.h
- @comment LFS
- @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
-+@c is) would be thread-unsafe.
- The @code{mmap64} function is equivalent to the @code{mmap} function but
- the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
- this allows the file associated with the @var{filedes} descriptor to be
-@@ -1284,6 +1325,7 @@ replaces the old API.
- @comment sys/mman.h
- @comment POSIX
- @deftypefun int munmap (void *@var{addr}, size_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
- @var{length}).  @var{length} should be the length of the mapping.
-@@ -1310,6 +1352,7 @@ aligned.
- @comment sys/mman.h
- @comment POSIX
- @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- When using shared mappings, the kernel can write the file at any time
- before the mapping is removed.  To be certain data has actually been
-@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
- @comment sys/mman.h
- @comment GNU
- @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- This function can be used to change the size of an existing memory
- area. @var{address} and @var{length} must cover a region entirely mapped
-@@ -1405,6 +1449,7 @@ Coding Standards}.
- @comment sys/mman.h
- @comment POSIX
- @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- This function can be used to provide the system with @var{advice} about
- the intended usage patterns of the memory region starting at @var{addr}
-@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
- @comment sys/types.h
- @comment BSD
- @deftypefn Macro void FD_ZERO (fd_set *@var{set})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro initializes the file descriptor set @var{set} to be the
- empty set.
- @end deftypefn
-@@ -1538,6 +1584,9 @@ empty set.
- @comment sys/types.h
- @comment BSD
- @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Setting a bit isn't necessarily atomic, so there's a potential race
-+@c here if set is not used exclusively.
- This macro adds @var{filedes} to the file descriptor set @var{set}.
- 
- The @var{filedes} parameter must not have side effects since it is
-@@ -1547,6 +1596,9 @@ evaluated more than once.
- @comment sys/types.h
- @comment BSD
- @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Setting a bit isn't necessarily atomic, so there's a potential race
-+@c here if set is not used exclusively.
- This macro removes @var{filedes} from the file descriptor set @var{set}.
- 
- The @var{filedes} parameter must not have side effects since it is
-@@ -1556,6 +1608,7 @@ evaluated more than once.
- @comment sys/types.h
- @comment BSD
- @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns a nonzero value (true) if @var{filedes} is a member
- of the file descriptor set @var{set}, and zero (false) otherwise.
- 
-@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
- @comment sys/types.h
- @comment BSD
- @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c The select syscall is preferred, but pselect6 may be used instead,
-+@c which requires converting timeout to a timespec and back.  The
-+@c conversions are not atomic.
- The @code{select} function blocks the calling process until there is
- activity on any of the specified sets of file descriptors, or until the
- timeout period has expired.
-@@ -1670,6 +1727,7 @@ they return.
- @comment unistd.h
- @comment X/Open
- @deftypefun void sync (void)
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- A call to this function will not return as long as there is data which
- has not been written to the device.  All dirty buffers in the kernel will
- be written and so an overall consistent system can be achieved (if no
-@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
- @comment unistd.h
- @comment POSIX
- @deftypefun int fsync (int @var{fildes})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{fsync} function can be used to make sure all data associated with
- the open file @var{fildes} is written to the device associated with the
- descriptor.  The function call does not return unless all actions have
-@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
- @comment unistd.h
- @comment POSIX
- @deftypefun int fdatasync (int @var{fildes})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- When a call to the @code{fdatasync} function returns, it is ensured
- that all of the file data is written to the device.  For all pending I/O
- operations, the parts guaranteeing data integrity finished.
-@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
- @comment aio.h
- @comment POSIX.1b
- @deftypefun int aio_read (struct aiocb *@var{aiocbp})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
-+@c Calls aio_enqueue_request.
-+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
-+@c  pthread_self ok
-+@c  pthread_getschedparam selfdeadlock, lockleak
-+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
-+@c   sched_getparam ok
-+@c   sched_getscheduler ok
-+@c   lll_unlock lockleak
-+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
-+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
-+@c   realloc asmalloc, memleak
-+@c   calloc asmalloc, memleak
-+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
-+@c   pthread_attr_init ok
-+@c   pthread_attr_setdetachstate ok
-+@c   pthread_get_minstack ok
-+@c   pthread_attr_setstacksize ok
-+@c   sigfillset ok
-+@c    memset ok
-+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
-+@c   SYSCALL rt_sigprocmask ok
-+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
-+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
-+@c    alloca/malloc asmalloc, memleak
-+@c    lll_unlock lockleak
-+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
-+@c     getpagesize dup
-+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
-+@c     lll_unlock lockleak
-+@c     _dl_allocate_tls asmalloc, memleak
-+@c      _dl_allocate_tls_storage asmalloc, memleak
-+@c       memalign asmalloc, memleak
-+@c       memset ok
-+@c       allocate_dtv dup
-+@c       free asmalloc, memleak
-+@c      allocate_dtv asmalloc, memleak
-+@c       calloc asmalloc, memleak
-+@c       INSTALL_DTV ok
-+@c     list_add dup
-+@c     get_cached_stack
-+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
-+@c      list_for_each ok
-+@c      list_entry dup
-+@c      FREE_P dup
-+@c      stack_list_del dup
-+@c      stack_list_add dup
-+@c      lll_unlock lockleak
-+@c      _dl_allocate_tls_init ok
-+@c       GET_DTV ok
-+@c     mmap ok
-+@c     atomic_increment_val ok
-+@c     munmap ok
-+@c     change_stack_perm ok
-+@c      mprotect ok
-+@c     mprotect ok
-+@c     stack_list_del dup
-+@c     _dl_deallocate_tls dup
-+@c     munmap ok
-+@c    THREAD_COPY_STACK_GUARD ok
-+@c    THREAD_COPY_POINTER_GUARD ok
-+@c    atomic_exchange_acq ok
-+@c    lll_futex_wake ok
-+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
-+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
-+@c     stack_list_del ok
-+@c      atomic_write_barrier ok
-+@c      list_del ok [uunguard]
-+@c      atomic_write_barrier ok
-+@c     queue_stack asmalloc, memleak
-+@c      stack_list_add ok
-+@c       atomic_write_barrier ok
-+@c       list_add ok [uunguard]
-+@c       atomic_write_barrier ok
-+@c      free_stacks asmalloc, memleak
-+@c       list_for_each_prev_safe ok
-+@c       list_entry ok
-+@c       FREE_P ok
-+@c       stack_list_del dup
-+@c       _dl_deallocate_tls dup
-+@c       munmap ok
-+@c     _dl_deallocate_tls asmalloc, memleak
-+@c      free asmalloc, memleak
-+@c     lll_unlock lockleak
-+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
-+@c     td_eventword
-+@c     td_eventmask
-+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
-+@c      PREPARE_CREATE ok
-+@c      lll_lock (pd->lock) selfdeadlock, lockleak
-+@c      atomic_increment ok
-+@c      clone ok
-+@c      atomic_decrement ok
-+@c      atomic_exchange_acq ok
-+@c      lll_futex_wake ok
-+@c      deallocate_stack dup
-+@c      sched_setaffinity ok
-+@c      tgkill ok
-+@c      sched_setscheduler ok
-+@c     atomic_compare_and_exchange_bool_acq ok
-+@c     nptl_create_event ok
-+@c     lll_unlock (pd->lock) lockleak
-+@c    free asmalloc, memleak
-+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
-+@c  add_request_to_runlist ok [xguargs]
-+@c  pthread_cond_signal ok
-+@c  aio_free_request ok [xguargs]
-+@c  pthread_mutex_unlock lockleak
-+
-+@c (in the new thread, initiated with clone)
-+@c    start_thread ok
-+@c     HP_TIMING_NOW ok
-+@c     ctype_init [glocale] (in theory, but optimized into safety)
-+@c     atomic_exchange_acq ok
-+@c     lll_futex_wake ok
-+@c     sigemptyset ok
-+@c     sigaddset ok
-+@c     setjmp ok
-+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
-+@c      do_cancel ok
-+@c       pthread_unwind ok
-+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
-+@c     lll_lock selfdeadlock, lockleak
-+@c     lll_unlock selfdeadlock, lockleak
-+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
-+@c      lll_futex_wait ok
-+@c     ->start_routine ok -----
-+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
-+@c      user-supplied dtor
-+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
-+@c      rtld_lock_unlock_recursive lockleak
-+@c      free asmalloc, memleak
-+@c     nptl_deallocate_tsd asmalloc, memleak
-+@c      tsd user-supplied dtors ok
-+@c      free asmalloc, memleak
-+@c     libc_thread_freeres
-+@c      libc_thread_subfreeres ok
-+@c     atomic_decrement_and_test ok
-+@c     td_eventword ok
-+@c     td_eventmask ok
-+@c     atomic_compare_exchange_bool_acq ok
-+@c     nptl_death_event ok
-+@c     lll_robust_dead ok
-+@c     getpagesize ok
-+@c     madvise ok
-+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
-+@c      free asmalloc, memleak
-+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
-+@c     lll_futex_wait ok
-+@c     exit_thread_inline ok
-+@c      syscall(exit) ok
-+
- This function initiates an asynchronous read operation.  It
- immediately returns after the operation was enqueued or when an
- error was encountered.
-@@ -1988,6 +2200,7 @@ replaces the normal implementation.
- @comment aio.h
- @comment Unix98
- @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
- This function is similar to the @code{aio_read} function.  The only
- difference is that on @w{32 bit} machines, the file descriptor should
- be opened in the large file mode.  Internally, @code{aio_read64} uses
-@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
- @comment aio.h
- @comment POSIX.1b
- @deftypefun int aio_write (struct aiocb *@var{aiocbp})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
- This function initiates an asynchronous write operation.  The function
- call immediately returns after the operation was enqueued or if before
- this happens an error was encountered.
-@@ -2072,6 +2286,7 @@ replaces the normal implementation.
- @comment aio.h
- @comment Unix98
- @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
- This function is similar to the @code{aio_write} function.  The only
- difference is that on @w{32 bit} machines the file descriptor should
- be opened in the large file mode.  Internally @code{aio_write64} uses
-@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
- @comment aio.h
- @comment POSIX.1b
- @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
-+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
-+@c enqueues each request.  Then, it waits for notification or prepares
-+@c for it before releasing the lock.  Even though it performs memory
-+@c allocation and locking of its own, it doesn't add any classes of
-+@c safety issues that aren't already covered by aio_enqueue_request.
- The @code{lio_listio} function can be used to enqueue an arbitrary
- number of read and write requests at one time.  The requests can all be
- meant for the same file, all for different files or every solution in
-@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
- @comment aio.h
- @comment Unix98
- @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
- This function is similar to the @code{lio_listio} function.  The only
- difference is that on @w{32 bit} machines, the file descriptor should
- be opened in the large file mode.  Internally, @code{lio_listio64} uses
-@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
- @comment aio.h
- @comment POSIX.1b
- @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function determines the error state of the request described by the
- @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
- request has not yet terminated the value returned is always
-@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
- @comment aio.h
- @comment Unix98
- @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is similar to @code{aio_error} with the only difference
- that the argument is a reference to a variable of type @code{struct
- aiocb64}.
-@@ -2238,6 +2462,7 @@ machines.
- @comment aio.h
- @comment POSIX.1b
- @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function can be used to retrieve the return status of the operation
- carried out by the request described in the variable pointed to by
- @var{aiocbp}.  As long as the error status of this request as returned
-@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
- @comment aio.h
- @comment Unix98
- @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is similar to @code{aio_return} with the only difference
- that the argument is a reference to a variable of type @code{struct
- aiocb64}.
-@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
- @comment aio.h
- @comment POSIX.1b
- @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
-+@c After fcntl to check that the FD is open, it calls
-+@c aio_enqueue_request.
- Calling this function forces all I/O operations operating queued at the
- time of the function call operating on the file descriptor
- @code{aiocbp->aio_fildes} into the synchronized I/O completion state
-@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
- @comment aio.h
- @comment Unix98
- @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
- This function is similar to @code{aio_fsync} with the only difference
- that the argument is a reference to a variable of type @code{struct
- aiocb64}.
-@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
- @comment aio.h
- @comment POSIX.1b
- @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
-+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
-+@c for completion or timeout, and release the mutex.
- When calling this function, the calling thread is suspended until at
- least one of the requests pointed to by the @var{nent} elements of the
- array @var{list} has completed.  If any of the requests has already
-@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
- @comment aio.h
- @comment Unix98
- @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- This function is similar to @code{aio_suspend} with the only difference
- that the argument is a reference to a variable of type @code{struct
- aiocb64}.
-@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
- @comment aio.h
- @comment POSIX.1b
- @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
-+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
-+@c aio_find_req_fd, aio_remove_request, then aio_notify and
-+@c aio_free_request each request before releasing the lock.
-+@c aio_notify calls aio_notify_only and free, besides cond signal or
-+@c similar.  aio_notify_only calls pthread_attr_init,
-+@c pthread_attr_setdetachstate, malloc, pthread_create,
-+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
-+@c notify_func_wraper calls aio_start_notify_thread, free and then the
-+@c notifier function.
- The @code{aio_cancel} function can be used to cancel one or more
- outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
- function tries to cancel all of the outstanding requests which would process
-@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
- @comment aio.h
- @comment Unix98
- @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
- This function is similar to @code{aio_cancel} with the only difference
- that the argument is a reference to a variable of type @code{struct
- aiocb64}.
-@@ -2529,6 +2774,8 @@ Unused.
- @comment aio.h
- @comment GNU
- @deftypefun void aio_init (const struct aioinit *@var{init})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
-+@c All changes to global objects are guarded by aio_requests_mutex.
- This function must be called before any other AIO function.  Calling it
- is completely voluntary, as it is only meant to help the AIO
- implementation perform better.
-@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
- @comment fcntl.h
- @comment POSIX.1
- @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{fcntl} function performs the operation specified by
- @var{command} on the file descriptor @var{filedes}.  Some commands
- require additional arguments to be supplied.  These additional arguments
-@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int dup (int @var{old})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function copies descriptor @var{old} to the first available
- descriptor number (the first number not currently open).  It is
- equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
-@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int dup2 (int @var{old}, int @var{new})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function copies the descriptor @var{old} to descriptor number
- @var{new}.
- 
-@@ -3631,6 +3881,7 @@ different headers.
- @comment sys/ioctl.h
- @comment BSD
- @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- The @code{ioctl} function performs the generic I/O operation
- @var{command} on @var{filedes}.
-@@ -3650,3 +3901,6 @@ unknown device.
- Most IOCTLs are OS-specific and/or only used in special system utilities,
- and are thus beyond the scope of this document.  For an example of the use
- of an IOCTL, see @ref{Out-of-Band Data}.
-+
-+@c FIXME this is undocumented:
-+@c dup3
-diff --git a/manual/locale.texi b/manual/locale.texi
-index 323268d..da50d18 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @comment locale.h
- @comment ISO
- @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
--@safety{@mtunsafe{uunguard}}
--@c This function is MT-Safe, but uses of the global locale object are
--@c unguarded in functions that ought to be MT-Safe, so we're ruling out
--@c the use of this function once threads are started.
-+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
-+@c Uses of the global locale object are unguarded in functions that
-+@c ought to be MT-Safe, so we're ruling out the use of this function
-+@c once threads are started.  It takes a write lock itself, but it may
-+@c return a pointer loaded from the global locale object after releasing
-+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
-+@c and free, and _nl_find_locale, which amount to all documented safety
-+@c issues.  It also calls new_composite_name, setdata, and setname,
-+@c without any additional issues.  _nl_find_locale calls getenv, ...
-+This function returns a pointer read 
- The function @code{setlocale} sets the current locale for category
- @var{category} to @var{locale}.  A list of all the locales the system
- provides can be created by running
-diff --git a/manual/resource.texi b/manual/resource.texi
-index 1ec7af2..71b08f7 100644
---- a/manual/resource.texi
-+++ b/manual/resource.texi
-@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
- @comment sys/resource.h
- @comment BSD
- @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Direct syscall on most systems.
- Read the current and maximum limits for the resource @var{resource}
- and store them in @code{*@var{rlp}}.
- 
-@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
- @comment sys/resource.h
- @comment Unix98
- @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
- This function is similar to @code{getrlimit} but its second parameter is
- a pointer to a variable of type @code{struct rlimit64}, which allows it
- to read values which wouldn't fit in the member of a @code{struct
-@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
- @comment unistd.h
- @comment BSD
- @deftypefun int getpagesize (void)
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
-+@c the exception, with the possibility of a syscall.
- The @code{getpagesize} function returns the page size of the process.
- This value is fixed for the runtime of the process but can vary in
- different runs of the application.
-@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
- @comment sys/sysinfo.h
- @comment GNU
- @deftypefun {long int} get_phys_pages (void)
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
-+@c This fopens a /proc file and scans it for the requested information.
- The @code{get_phys_pages} function returns the total number of pages of
- physical the system has.  To get the amount of memory this number has to
- be multiplied by the page size.
-@@ -1569,6 +1578,7 @@ This function is a GNU extension.
- @comment sys/sysinfo.h
- @comment GNU
- @deftypefun {long int} get_avphys_pages (void)
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
- The @code{get_phys_pages} function returns the number of available pages of
- physical the system has.  To get the amount of memory this number has to
- be multiplied by the page size.
-@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
- @comment sys/sysinfo.h
- @comment GNU
- @deftypefun int get_nprocs_conf (void)
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
-+@c This function reads from from /sys using dir streams (single user, so
-+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
-+@c streams.
- The @code{get_nprocs_conf} function returns the number of processors the
- operating system configured.
- 
-@@ -1623,6 +1637,8 @@ This function is a GNU extension.
- @comment sys/sysinfo.h
- @comment GNU
- @deftypefun int get_nprocs (void)
-+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
-+@c This function reads from /proc using file descriptor I/O.
- The @code{get_nprocs} function returns the number of available processors.
- 
- This function is a GNU extension.
-diff --git a/manual/search.texi b/manual/search.texi
-index efd3604..6910edc 100644
---- a/manual/search.texi
-+++ b/manual/search.texi
-@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
- @comment stdlib.h
- @comment ISO
- @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
-+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
- The @var{qsort} function sorts the array @var{array}.  The array contains
- @var{count} elements, each of which is of size @var{size}.
- 
-@@ -436,6 +437,11 @@ in the header file @file{search.h}.
- @comment search.h
- @comment SVID
- @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
-+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
-+@c The tree is not modified in a thread-safe manner, and rotations may
-+@c leave the tree in an inconsistent state that could be observed in an
-+@c asynchronous signal handler or after asynchronous cancellation of the
-+@c thread performing the rotation or the insertion.
- The @code{tsearch} function searches in the tree pointed to by
- @code{*@var{rootp}} for an element matching @var{key}.  The function
- pointed to by @var{compar} is used to determine whether two elements
-@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
- @comment search.h
- @comment SVID
- @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
- The @code{tfind} function is similar to the @code{tsearch} function.  It
- locates an element matching the one pointed to by @var{key} and returns
- a pointer to this element.  But if no matching element is available no
-@@ -479,6 +486,7 @@ elements.
- @comment search.h
- @comment SVID
- @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
-+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
- To remove a specific element matching @var{key} from the tree
- @code{tdelete} can be used.  It locates the matching element using the
- same method as @code{tfind}.  The corresponding element is then removed
-@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
- @comment search.h
- @comment GNU
- @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
-+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
- If the complete search tree has to be removed one can use
- @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
- function to generate the tree pointed to by @var{vroot}.
-@@ -546,6 +555,7 @@ The current node is a leaf.
- @comment search.h
- @comment SVID
- @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
-+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
- For each node in the tree with a node pointed to by @var{root}, the
- @code{twalk} function calls the function provided by the parameter
- @var{action}.  For leaf nodes the function is called exactly once with
-diff --git a/manual/startup.texi b/manual/startup.texi
-index a277714..7bbaf13 100644
---- a/manual/startup.texi
-+++ b/manual/startup.texi
-@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
- The difference to the @code{setenv} function is that the exact string
- given as the parameter @var{string} is put into the environment.  If the
- user should change the string after the @code{putenv} call this will
--reflect in automatically in the environment.  This also requires that
--@var{string} is no automatic variable which scope is left before the
-+reflect automatically in the environment.  This also requires that
-+@var{string} not be an automatic variable whose scope is left before the
- variable is removed from the environment.  The same applies of course to
- dynamically allocated variables which are freed later.
- 
-diff --git a/manual/stdio.texi b/manual/stdio.texi
-index 7809dd4..79a3340 100644
---- a/manual/stdio.texi
-+++ b/manual/stdio.texi
-@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
- @comment stdio.h
- @comment ISO
- @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
- @c fopen may leak the list lock if cancelled within _IO_link_in.
- The @code{fopen} function opens a stream for I/O to the file
- @var{filename}, and returns a pointer to the stream.
-@@ -267,7 +267,7 @@ Locks}.
- @comment stdio.h
- @comment Unix98
- @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
- This function is similar to @code{fopen} but the stream it returns a
- pointer for is opened using @code{open64}.  Therefore this stream can be
- used even on files larger then @math{2^31} bytes on 32 bit machines.
-@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
- @comment stdio.h
- @comment ISO
- @deftypefun int fclose (FILE *@var{stream})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
- @c After fclose, it is undefined behavior to use the stream it points
- @c to.  Therefore, one must only call fclose when the stream is
- @c otherwise unused.  Concurrent uses started before will complete
-@@ -2662,6 +2662,42 @@ pointer @var{ap}.
- @c case of cancellation.  This doesn't make it unsafe, but cancelling it
- @c may leak memory.  The unguarded use of __printf_function_table is
- @c also of concern for all callers.
-+@c _itoa ok
-+@c   _udiv_qrnnd_preinv ok
-+@c group_number ok
-+@c _i18n_number_rewrite
-+@c   __wctrans ok
-+@c   __towctrans glocale
-+@c   __wcrtomb ok? dup below
-+@c   outdigit_value ok
-+@c   outdigitwc_value ok
-+@c outchar ok
-+@c outstring ok
-+@c PAD ok
-+@c __printf_fp glocale memleak
-+@c __printf_fphex glocale
-+@c __readonly_area
-+@c   [GNU/Linux] fopen, strtoul, free
-+@c __strerror_r ok if no translation, check otherwise
-+@c __btowc ? gconv-modules
-+@c __wcrtomb ok (not using internal state) gconv-modules
-+@c ARGCHECK
-+@c UNBUFFERED_P (tested before taking the stream lock)
-+@c buffered_vfprintf ok
-+@c __find_spec(wc|mb)
-+@c read_int
-+@c __libc_use_alloca
-+@c process_arg
-+@c process_string_arg
-+@c extend_alloca
-+@c __parse_one_spec(wc|mb)
-+@c *__printf_arginfo_table unguarded
-+@c __printf_va_arg_table-> unguarded
-+@c *__printf_function_table unguarded
-+@c done_add
-+@c printf_unknown
-+@c   outchar
-+@c   _itoa_word
- This is the equivalent of @code{fprintf} with the variable argument list
- specified directly as for @code{vprintf}.
- @end deftypefun
-@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
- @comment stdio.h
- @comment GNU
- @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
- @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
- @c bringing with it additional potential for async trouble with
- @c list_all_lock.
-@@ -5076,7 +5112,7 @@ Got r
- @comment stdio.h
- @comment GNU
- @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
--@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
- This function opens a stream for writing to a buffer.  The buffer is
- allocated dynamically and grown as necessary, using @code{malloc}.
- After you've closed the stream, this buffer is your responsibility to
-@@ -5192,7 +5228,7 @@ closed.
- @comment stdio.h
- @comment GNU
- @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
- This function actually creates the stream for communicating with the
- @var{cookie} using the functions in the @var{io-functions} argument.
- The @var{opentype} argument is interpreted as for @code{fopen};
-diff --git a/manual/string.texi b/manual/string.texi
-index 246be84..a75d298 100644
---- a/manual/string.texi
-+++ b/manual/string.texi
-@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
- @comment string.h
- @comment GNU
- @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
-+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-+@c Calls isdigit multiple times, locale may change in between.
- The @code{strverscmp} function compares the string @var{s1} against
- @var{s2}, considering them as holding indices/version numbers.  The
- return value follows the same conventions as found in the
-@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
- @comment string.h
- @comment ISO
- @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@c Adjust alphasort one safety info is determined.
- The @code{strcoll} function is similar to @code{strcmp} but uses the
- collating sequence of the current locale for collation (the
- @code{LC_COLLATE} locale).
-diff --git a/manual/terminal.texi b/manual/terminal.texi
-index 9e9c057..7f62a4e 100644
---- a/manual/terminal.texi
-+++ b/manual/terminal.texi
-@@ -264,6 +264,9 @@ array.
- @comment termios.h
- @comment POSIX.1
- @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Converting the kernel-returned termios data structure to the userland
-+@c format does not ensure atomic or consistent writing.
- This function is used to examine the attributes of the terminal
- device with file descriptor @var{filedes}.  The attributes are returned
- in the structure that @var{termios-p} points to.
-@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
- @comment termios.h
- @comment POSIX.1
- @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Converting the incoming termios data structure to the kernel format
-+@c does not ensure atomic or consistent reading.
- This function sets the attributes of the terminal device with file
- descriptor @var{filedes}.  The new attributes are taken from the
- structure that @var{termios-p} points to.
-diff --git a/manual/threads.texi b/manual/threads.texi
-index a23ac26..19bfad6 100644
---- a/manual/threads.texi
-+++ b/manual/threads.texi
-@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
- data destructors or even as members of the thread-specific data, since the
- latter is passed as an argument to the destructor function.
- 
-+@c FIXME: use @deftypefun for these.
- @item int pthread_key_delete (pthread_key_t @var{key})
- Destroy the thread-specific data @var{key} in the calling thread.  The
- destructor for the thread-specific data is not called during destruction, nor
-@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
- The system does not have sufficient memory.
- @end table
- @end deftypefun
-+
-+@c FIXME these are undocumented:
-+@c pthread_atfork
-+@c pthread_attr_destroy
-+@c pthread_attr_getaffinity_np
-+@c pthread_attr_getdetachstate
-+@c pthread_attr_getguardsize
-+@c pthread_attr_getinheritsched
-+@c pthread_attr_getschedparam
-+@c pthread_attr_getschedpolicy
-+@c pthread_attr_getscope
-+@c pthread_attr_getstack
-+@c pthread_attr_getstackaddr
-+@c pthread_attr_getstacksize
-+@c pthread_attr_init
-+@c pthread_attr_setaffinity_np
-+@c pthread_attr_setdetachstate
-+@c pthread_attr_setguardsize
-+@c pthread_attr_setinheritsched
-+@c pthread_attr_setschedparam
-+@c pthread_attr_setschedpolicy
-+@c pthread_attr_setscope
-+@c pthread_attr_setstack
-+@c pthread_attr_setstackaddr
-+@c pthread_attr_setstacksize
-+@c pthread_barrierattr_destroy
-+@c pthread_barrierattr_getpshared
-+@c pthread_barrierattr_init
-+@c pthread_barrierattr_setpshared
-+@c pthread_barrier_destroy
-+@c pthread_barrier_init
-+@c pthread_barrier_wait
-+@c pthread_cancel
-+@c pthread_cleanup_push
-+@c pthread_cleanup_pop
-+@c pthread_condattr_destroy
-+@c pthread_condattr_getclock
-+@c pthread_condattr_getpshared
-+@c pthread_condattr_init
-+@c pthread_condattr_setclock
-+@c pthread_condattr_setpshared
-+@c pthread_cond_broadcast
-+@c pthread_cond_destroy
-+@c pthread_cond_init
-+@c pthread_cond_signal
-+@c pthread_cond_timedwait
-+@c pthread_cond_wait
-+@c pthread_create
-+@c pthread_detach
-+@c pthread_equal
-+@c pthread_exit
-+@c pthread_getaffinity_np
-+@c pthread_getattr_np
-+@c pthread_getconcurrency
-+@c pthread_getcpuclockid
-+@c pthread_getname_np
-+@c pthread_getschedparam
-+@c pthread_join
-+@c pthread_kill
-+@c pthread_kill_other_threads_np
-+@c pthread_mutexattr_destroy
-+@c pthread_mutexattr_getkind_np
-+@c pthread_mutexattr_getprioceiling
-+@c pthread_mutexattr_getprotocol
-+@c pthread_mutexattr_getpshared
-+@c pthread_mutexattr_getrobust
-+@c pthread_mutexattr_getrobust_np
-+@c pthread_mutexattr_gettype
-+@c pthread_mutexattr_init
-+@c pthread_mutexattr_setkind_np
-+@c pthread_mutexattr_setprioceiling
-+@c pthread_mutexattr_setprotocol
-+@c pthread_mutexattr_setpshared
-+@c pthread_mutexattr_setrobust
-+@c pthread_mutexattr_setrobust_np
-+@c pthread_mutexattr_settype
-+@c pthread_mutex_consistent
-+@c pthread_mutex_consistent_np
-+@c pthread_mutex_destroy
-+@c pthread_mutex_getprioceiling
-+@c pthread_mutex_init
-+@c pthread_mutex_lock
-+@c pthread_mutex_setprioceiling
-+@c pthread_mutex_timedlock
-+@c pthread_mutex_trylock
-+@c pthread_mutex_unlock
-+@c pthread_once
-+@c pthread_rwlockattr_destroy
-+@c pthread_rwlockattr_getkind_np
-+@c pthread_rwlockattr_getpshared
-+@c pthread_rwlockattr_init
-+@c pthread_rwlockattr_setkind_np
-+@c pthread_rwlockattr_setpshared
-+@c pthread_rwlock_destroy
-+@c pthread_rwlock_init
-+@c pthread_rwlock_rdlock
-+@c pthread_rwlock_timedrdlock
-+@c pthread_rwlock_timedwrlock
-+@c pthread_rwlock_tryrdlock
-+@c pthread_rwlock_trywrlock
-+@c pthread_rwlock_unlock
-+@c pthread_rwlock_wrlock
-+@c pthread_self
-+@c pthread_setaffinity_np
-+@c pthread_setcancelstate
-+@c pthread_setcanceltype
-+@c pthread_setconcurrency
-+@c pthread_setname_np
-+@c pthread_setschedparam
-+@c pthread_setschedprio
-+@c pthread_sigmask
-+@c pthread_sigqueue
-+@c pthread_spin_destroy
-+@c pthread_spin_init
-+@c pthread_spin_lock
-+@c pthread_spin_trylock
-+@c pthread_spin_unlock
-+@c pthread_testcancel
-+@c pthread_timedjoin_np
-+@c pthread_tryjoin_np
-+@c pthread_yield
-diff --git a/manual/time.texi b/manual/time.texi
-index ff31e28..3967b24 100644
---- a/manual/time.texi
-+++ b/manual/time.texi
-@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
- @comment sys/time.h
- @comment BSD
- @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c On most GNU/Linux systems this is a direct syscall, but the posix/
-+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
-+@c localtime_r, saving and restoring tzname in an unsafe manner.
-+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
-+@c for vdso resolution.  ifunc-vdso-revisit.
- The @code{gettimeofday} function returns the current calendar time as
- the elapsed time since the epoch in the @code{struct timeval} structure
- indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of
+

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4fbc047902ffe2e52e83f768573b9b8b0cdd8e7c

commit 4fbc047902ffe2e52e83f768573b9b8b0cdd8e7c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/???.texi: Document thread safety properties.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3152fe9b71d25e5a079af8a12b1ab66c69174413

commit 3152fe9b71d25e5a079af8a12b1ab66c69174413
Merge: 409b9c1 36ebef0 32cc08f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:51 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=409b9c1dc08236ce6fc200dbf7ac8f1ce7466fd5

commit 409b9c1dc08236ce6fc200dbf7ac8f1ce7466fd5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:51 2013 -0300

    import

diff --git a/meta b/meta
index a8768b4..2ab621e 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 9af99627e811f0fdcfb787cd4fd7c395fa08caf0
-Head: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
+Previous: 32cc08f6887f254257307044a1da7e83889300d8
+Head: 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -28,6 +28,7 @@ Applied:
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
   wip-manual-document-mt-safety-threads.patch: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
+  wip-manual-document-mt-safety-time.patch: 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
 Unapplied:
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-time.patch b/patches/wip-manual-document-mt-safety-time.patch
new file mode 100644
index 0000000..ee52a8e
--- /dev/null
+++ b/patches/wip-manual-document-mt-safety-time.patch
@@ -0,0 +1,31 @@
+Bottom: 934314e9de7d53f206e47915ea85ef4798ee295a
+Top:    7472b1dd7a8cc8760b98cd08cb7f8418374249ed
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:14:50 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/time.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/time.texi b/manual/time.texi
+index ff31e28..3967b24 100644
+--- a/manual/time.texi
++++ b/manual/time.texi
+@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c On most GNU/Linux systems this is a direct syscall, but the posix/
++@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
++@c localtime_r, saving and restoring tzname in an unsafe manner.
++@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
++@c for vdso resolution.  ifunc-vdso-revisit.
+ The @code{gettimeofday} function returns the current calendar time as
+ the elapsed time since the epoch in the @code{struct timeval} structure
+ indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=36ebef0d2d702667bef29dd37c04d3a416cfaa1c

commit 36ebef0d2d702667bef29dd37c04d3a416cfaa1c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:50 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/time.texi: Document thread safety properties.

diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=32cc08f6887f254257307044a1da7e83889300d8

commit 32cc08f6887f254257307044a1da7e83889300d8
Merge: 0b5bbfe f47c93c 9af9962
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:36 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0b5bbfef237a30c3c4c54b5e4e2e0b9c0ac358bc

commit 0b5bbfef237a30c3c4c54b5e4e2e0b9c0ac358bc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:36 2013 -0300

    import

diff --git a/meta b/meta
index 78c93b5..a8768b4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 9d6b1e3e15da247a2588e6e4e56507f3d460964f
-Head: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
+Previous: 9af99627e811f0fdcfb787cd4fd7c395fa08caf0
+Head: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -27,6 +27,7 @@ Applied:
   manual-document-mt-safety-stdio.patch: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
   wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
+  wip-manual-document-mt-safety-threads.patch: f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
 Unapplied:
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-threads.patch b/patches/wip-manual-document-mt-safety-threads.patch
new file mode 100644
index 0000000..a8a9208
--- /dev/null
+++ b/patches/wip-manual-document-mt-safety-threads.patch
@@ -0,0 +1,151 @@
+Bottom: 9f340cd557aceda321c8ef9f6db21082e5dbdaee
+Top:    934314e9de7d53f206e47915ea85ef4798ee295a
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:14:35 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/threads.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/threads.texi b/manual/threads.texi
+index a23ac26..19bfad6 100644
+--- a/manual/threads.texi
++++ b/manual/threads.texi
+@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
+ data destructors or even as members of the thread-specific data, since the
+ latter is passed as an argument to the destructor function.
+ 
++@c FIXME: use @deftypefun for these.
+ @item int pthread_key_delete (pthread_key_t @var{key})
+ Destroy the thread-specific data @var{key} in the calling thread.  The
+ destructor for the thread-specific data is not called during destruction, nor
+@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
+ The system does not have sufficient memory.
+ @end table
+ @end deftypefun
++
++@c FIXME these are undocumented:
++@c pthread_atfork
++@c pthread_attr_destroy
++@c pthread_attr_getaffinity_np
++@c pthread_attr_getdetachstate
++@c pthread_attr_getguardsize
++@c pthread_attr_getinheritsched
++@c pthread_attr_getschedparam
++@c pthread_attr_getschedpolicy
++@c pthread_attr_getscope
++@c pthread_attr_getstack
++@c pthread_attr_getstackaddr
++@c pthread_attr_getstacksize
++@c pthread_attr_init
++@c pthread_attr_setaffinity_np
++@c pthread_attr_setdetachstate
++@c pthread_attr_setguardsize
++@c pthread_attr_setinheritsched
++@c pthread_attr_setschedparam
++@c pthread_attr_setschedpolicy
++@c pthread_attr_setscope
++@c pthread_attr_setstack
++@c pthread_attr_setstackaddr
++@c pthread_attr_setstacksize
++@c pthread_barrierattr_destroy
++@c pthread_barrierattr_getpshared
++@c pthread_barrierattr_init
++@c pthread_barrierattr_setpshared
++@c pthread_barrier_destroy
++@c pthread_barrier_init
++@c pthread_barrier_wait
++@c pthread_cancel
++@c pthread_cleanup_push
++@c pthread_cleanup_pop
++@c pthread_condattr_destroy
++@c pthread_condattr_getclock
++@c pthread_condattr_getpshared
++@c pthread_condattr_init
++@c pthread_condattr_setclock
++@c pthread_condattr_setpshared
++@c pthread_cond_broadcast
++@c pthread_cond_destroy
++@c pthread_cond_init
++@c pthread_cond_signal
++@c pthread_cond_timedwait
++@c pthread_cond_wait
++@c pthread_create
++@c pthread_detach
++@c pthread_equal
++@c pthread_exit
++@c pthread_getaffinity_np
++@c pthread_getattr_np
++@c pthread_getconcurrency
++@c pthread_getcpuclockid
++@c pthread_getname_np
++@c pthread_getschedparam
++@c pthread_join
++@c pthread_kill
++@c pthread_kill_other_threads_np
++@c pthread_mutexattr_destroy
++@c pthread_mutexattr_getkind_np
++@c pthread_mutexattr_getprioceiling
++@c pthread_mutexattr_getprotocol
++@c pthread_mutexattr_getpshared
++@c pthread_mutexattr_getrobust
++@c pthread_mutexattr_getrobust_np
++@c pthread_mutexattr_gettype
++@c pthread_mutexattr_init
++@c pthread_mutexattr_setkind_np
++@c pthread_mutexattr_setprioceiling
++@c pthread_mutexattr_setprotocol
++@c pthread_mutexattr_setpshared
++@c pthread_mutexattr_setrobust
++@c pthread_mutexattr_setrobust_np
++@c pthread_mutexattr_settype
++@c pthread_mutex_consistent
++@c pthread_mutex_consistent_np
++@c pthread_mutex_destroy
++@c pthread_mutex_getprioceiling
++@c pthread_mutex_init
++@c pthread_mutex_lock
++@c pthread_mutex_setprioceiling
++@c pthread_mutex_timedlock
++@c pthread_mutex_trylock
++@c pthread_mutex_unlock
++@c pthread_once
++@c pthread_rwlockattr_destroy
++@c pthread_rwlockattr_getkind_np
++@c pthread_rwlockattr_getpshared
++@c pthread_rwlockattr_init
++@c pthread_rwlockattr_setkind_np
++@c pthread_rwlockattr_setpshared
++@c pthread_rwlock_destroy
++@c pthread_rwlock_init
++@c pthread_rwlock_rdlock
++@c pthread_rwlock_timedrdlock
++@c pthread_rwlock_timedwrlock
++@c pthread_rwlock_tryrdlock
++@c pthread_rwlock_trywrlock
++@c pthread_rwlock_unlock
++@c pthread_rwlock_wrlock
++@c pthread_self
++@c pthread_setaffinity_np
++@c pthread_setcancelstate
++@c pthread_setcanceltype
++@c pthread_setconcurrency
++@c pthread_setname_np
++@c pthread_setschedparam
++@c pthread_setschedprio
++@c pthread_sigmask
++@c pthread_sigqueue
++@c pthread_spin_destroy
++@c pthread_spin_init
++@c pthread_spin_lock
++@c pthread_spin_trylock
++@c pthread_spin_unlock
++@c pthread_testcancel
++@c pthread_timedjoin_np
++@c pthread_tryjoin_np
++@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f47c93cdfff86a4b5acb80c4b80ba113757b9e5f

commit f47c93cdfff86a4b5acb80c4b80ba113757b9e5f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:14:35 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/threads.texi: Document thread safety properties.

diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9af99627e811f0fdcfb787cd4fd7c395fa08caf0

commit 9af99627e811f0fdcfb787cd4fd7c395fa08caf0
Merge: 62cd4e6 131f3d7 9d6b1e3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=62cd4e647e34e31ad1e3a186be37661288afba1b

commit 62cd4e647e34e31ad1e3a186be37661288afba1b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    import

diff --git a/meta b/meta
index 902eaac..78c93b5 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: ea4fd9c31cd34ece4af5fe8d6b3a17c9ef9f79e4
-Head: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
+Previous: 9d6b1e3e15da247a2588e6e4e56507f3d460964f
+Head: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -26,6 +26,7 @@ Applied:
   wip-manual-document-mt-safety-startup.patch: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
   manual-document-mt-safety-stdio.patch: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
   wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
+  wip-manual-document-mt-safety-terminal.patch: 131f3d7cbdeaec2279062d5bd94af6281390b9ba
 Unapplied:
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-terminal.patch b/patches/wip-manual-document-mt-safety-terminal.patch
new file mode 100644
index 0000000..09d43ed
--- /dev/null
+++ b/patches/wip-manual-document-mt-safety-terminal.patch
@@ -0,0 +1,38 @@
+Bottom: 12b763b61e3c2dff9a990b8c3271a64b6febfd63
+Top:    9f340cd557aceda321c8ef9f6db21082e5dbdaee
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:13:53 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/terminal.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/terminal.texi b/manual/terminal.texi
+index 9e9c057..7f62a4e 100644
+--- a/manual/terminal.texi
++++ b/manual/terminal.texi
+@@ -264,6 +264,9 @@ array.
+ @comment termios.h
+ @comment POSIX.1
+ @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Converting the kernel-returned termios data structure to the userland
++@c format does not ensure atomic or consistent writing.
+ This function is used to examine the attributes of the terminal
+ device with file descriptor @var{filedes}.  The attributes are returned
+ in the structure that @var{termios-p} points to.
+@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
+ @comment termios.h
+ @comment POSIX.1
+ @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Converting the incoming termios data structure to the kernel format
++@c does not ensure atomic or consistent reading.
+ This function sets the attributes of the terminal device with file
+ descriptor @var{filedes}.  The new attributes are taken from the
+ structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=131f3d7cbdeaec2279062d5bd94af6281390b9ba

commit 131f3d7cbdeaec2279062d5bd94af6281390b9ba
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:53 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/terminal.texi: Document thread safety properties.

diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9d6b1e3e15da247a2588e6e4e56507f3d460964f

commit 9d6b1e3e15da247a2588e6e4e56507f3d460964f
Merge: 59dcb93 358134b ea4fd9c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=59dcb935e3195f296afe22873dfe1706c77beeba

commit 59dcb935e3195f296afe22873dfe1706c77beeba
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    import

diff --git a/meta b/meta
index 6a6db56..902eaac 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7813e945b628c7ad8a53e4e1e9f8c9bcdcbba26a
-Head: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
+Previous: ea4fd9c31cd34ece4af5fe8d6b3a17c9ef9f79e4
+Head: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -25,6 +25,7 @@ Applied:
   manual-document-mt-safety-search.patch: 72885eef5a5c94642ef40c16b2838f314908e7da
   wip-manual-document-mt-safety-startup.patch: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
   manual-document-mt-safety-stdio.patch: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
+  wip-manual-document-mt-safety-string.patch: 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
 Unapplied:
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/wip-manual-document-mt-safety-string.patch b/patches/wip-manual-document-mt-safety-string.patch
new file mode 100644
index 0000000..c2dd68c
--- /dev/null
+++ b/patches/wip-manual-document-mt-safety-string.patch
@@ -0,0 +1,36 @@
+Bottom: 3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
+Top:    12b763b61e3c2dff9a990b8c3271a64b6febfd63
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:13:24 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/string.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/string.texi b/manual/string.texi
+index 246be84..a75d298 100644
+--- a/manual/string.texi
++++ b/manual/string.texi
+@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
+ @comment string.h
+ @comment GNU
+ @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c Calls isdigit multiple times, locale may change in between.
+ The @code{strverscmp} function compares the string @var{s1} against
+ @var{s2}, considering them as holding indices/version numbers.  The
+ return value follows the same conventions as found in the
+@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
+ @comment string.h
+ @comment ISO
+ @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c Adjust alphasort one safety info is determined.
+ The @code{strcoll} function is similar to @code{strcmp} but uses the
+ collating sequence of the current locale for collation (the
+ @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=358134baec989c2a7d7f3e6f2d4d0b3f002bcb39

commit 358134baec989c2a7d7f3e6f2d4d0b3f002bcb39
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:13:24 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/string.texi: Document thread safety properties.

diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ea4fd9c31cd34ece4af5fe8d6b3a17c9ef9f79e4

commit ea4fd9c31cd34ece4af5fe8d6b3a17c9ef9f79e4
Merge: 1f35875 b6c3b59 7813e94
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:53 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1f35875992d2f4994c57f952436924323701762f

commit 1f35875992d2f4994c57f952436924323701762f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:53 2013 -0300

    refresh

diff --git a/meta b/meta
index 62198e1..6a6db56 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 46dbc4b516036ae274f7ad8e4b90fbe8547d40e4
-Head: fe734e3c4e47da61876a28df92f216ffe7f91900
+Previous: 7813e945b628c7ad8a53e4e1e9f8c9bcdcbba26a
+Head: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -24,8 +24,7 @@ Applied:
   manual-document-mt-safety-resource.patch: 5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d
   manual-document-mt-safety-search.patch: 72885eef5a5c94642ef40c16b2838f314908e7da
   wip-manual-document-mt-safety-startup.patch: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
-  manual-document-mt-safety-stdio.patch: 4317964c441ce5286d9d38d49a63be64118cf356
-  refresh-temp: fe734e3c4e47da61876a28df92f216ffe7f91900
+  manual-document-mt-safety-stdio.patch: b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
 Unapplied:
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 373e2ca..8b416af 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
 Bottom: 195f80ed20d8cfa61af3b5629d405de8be7b40fc
-Top:    e7e01aad2f34ba561dd0a0744ce4b8cd012180c4
+Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
@@ -13,14 +13,14 @@ for  ChangeLog
 ---
 
 diff --git a/manual/stdio.texi b/manual/stdio.texi
-index 3f9be9bc5..7809dd4 100644
+index 3f9be9bc5..79a3340 100644
 --- a/manual/stdio.texi
 +++ b/manual/stdio.texi
 @@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
  @comment stdio.h
  @comment ISO
  @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
-+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 +@c fopen may leak the list lock if cancelled within _IO_link_in.
  The @code{fopen} function opens a stream for I/O to the file
  @var{filename}, and returns a pointer to the stream.
@@ -29,7 +29,7 @@ index 3f9be9bc5..7809dd4 100644
  @comment stdio.h
  @comment Unix98
  @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
-+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
  This function is similar to @code{fopen} but the stream it returns a
  pointer for is opened using @code{open64}.  Therefore this stream can be
  used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -94,7 +94,7 @@ index 3f9be9bc5..7809dd4 100644
  @comment stdio.h
  @comment ISO
  @deftypefun int fclose (FILE *@var{stream})
-+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
 +@c After fclose, it is undefined behavior to use the stream it points
 +@c to.  Therefore, one must only call fclose when the stream is
 +@c otherwise unused.  Concurrent uses started before will complete
@@ -644,7 +644,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is similar to @code{wprintf} except that, instead of taking
  a variable number of arguments directly, it takes an argument list
  pointer @var{ap}.
-@@ -2525,6 +2656,12 @@ pointer @var{ap}.
+@@ -2525,6 +2656,48 @@ pointer @var{ap}.
  @comment stdio.h
  @comment ISO
  @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
@@ -654,10 +654,46 @@ index 3f9be9bc5..7809dd4 100644
 +@c case of cancellation.  This doesn't make it unsafe, but cancelling it
 +@c may leak memory.  The unguarded use of __printf_function_table is
 +@c also of concern for all callers.
++@c _itoa ok
++@c   _udiv_qrnnd_preinv ok
++@c group_number ok
++@c _i18n_number_rewrite
++@c   __wctrans ok
++@c   __towctrans glocale
++@c   __wcrtomb ok? dup below
++@c   outdigit_value ok
++@c   outdigitwc_value ok
++@c outchar ok
++@c outstring ok
++@c PAD ok
++@c __printf_fp glocale memleak
++@c __printf_fphex glocale
++@c __readonly_area
++@c   [GNU/Linux] fopen, strtoul, free
++@c __strerror_r ok if no translation, check otherwise
++@c __btowc ? gconv-modules
++@c __wcrtomb ok (not using internal state) gconv-modules
++@c ARGCHECK
++@c UNBUFFERED_P (tested before taking the stream lock)
++@c buffered_vfprintf ok
++@c __find_spec(wc|mb)
++@c read_int
++@c __libc_use_alloca
++@c process_arg
++@c process_string_arg
++@c extend_alloca
++@c __parse_one_spec(wc|mb)
++@c *__printf_arginfo_table unguarded
++@c __printf_va_arg_table-> unguarded
++@c *__printf_function_table unguarded
++@c done_add
++@c printf_unknown
++@c   outchar
++@c   _itoa_word
  This is the equivalent of @code{fprintf} with the variable argument list
  specified directly as for @code{vprintf}.
  @end deftypefun
-@@ -2532,6 +2669,7 @@ specified directly as for @code{vprintf}.
+@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
  @comment wchar.h
  @comment ISO
  @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
@@ -665,7 +701,7 @@ index 3f9be9bc5..7809dd4 100644
  This is the equivalent of @code{fwprintf} with the variable argument list
  specified directly as for @code{vwprintf}.
  @end deftypefun
-@@ -2539,6 +2677,7 @@ specified directly as for @code{vwprintf}.
+@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
  @comment stdio.h
  @comment ISO
  @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
@@ -673,7 +709,7 @@ index 3f9be9bc5..7809dd4 100644
  This is the equivalent of @code{sprintf} with the variable argument list
  specified directly as for @code{vprintf}.
  @end deftypefun
-@@ -2546,6 +2685,7 @@ specified directly as for @code{vprintf}.
+@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
  @comment wchar.h
  @comment GNU
  @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
@@ -681,7 +717,7 @@ index 3f9be9bc5..7809dd4 100644
  This is the equivalent of @code{swprintf} with the variable argument list
  specified directly as for @code{vwprintf}.
  @end deftypefun
-@@ -2553,6 +2693,7 @@ specified directly as for @code{vwprintf}.
+@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
  @comment stdio.h
  @comment GNU
  @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
@@ -689,7 +725,7 @@ index 3f9be9bc5..7809dd4 100644
  This is the equivalent of @code{snprintf} with the variable argument list
  specified directly as for @code{vprintf}.
  @end deftypefun
-@@ -2560,6 +2701,7 @@ specified directly as for @code{vprintf}.
+@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
  @comment stdio.h
  @comment GNU
  @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
@@ -697,7 +733,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{vasprintf} function is the equivalent of @code{asprintf} with the
  variable argument list specified directly as for @code{vprintf}.
  @end deftypefun
-@@ -2567,6 +2709,10 @@ variable argument list specified directly as for @code{vprintf}.
+@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
  @comment stdio.h
  @comment GNU
  @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
@@ -708,7 +744,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{obstack_vprintf} function is the equivalent of
  @code{obstack_printf} with the variable argument list specified directly
  as for @code{vprintf}.@refill
-@@ -2639,6 +2785,7 @@ file @file{printf.h}.
+@@ -2639,6 +2821,7 @@ file @file{printf.h}.
  @comment printf.h
  @comment GNU
  @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
@@ -716,7 +752,7 @@ index 3f9be9bc5..7809dd4 100644
  This function returns information about the number and types of
  arguments expected by the @code{printf} template string @var{template}.
  The information is stored in the array @var{argtypes}; each element of
-@@ -2879,6 +3026,12 @@ The function to register a new output conversion is
+@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
  @comment printf.h
  @comment GNU
  @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
@@ -729,7 +765,7 @@ index 3f9be9bc5..7809dd4 100644
  This function defines the conversion specifier character @var{spec}.
  Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
  You can redefine the built-in conversions like @samp{%s}, but flag
-@@ -3125,6 +3278,12 @@ which implement a special way to print floating-point numbers.
+@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
  @comment printf.h
  @comment GNU
  @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
@@ -742,7 +778,7 @@ index 3f9be9bc5..7809dd4 100644
  Print a given floating point number as for the format @code{%f} except
  that there is a postfix character indicating the divisor for the
  number to make this less than 1000.  There are two possible divisors:
-@@ -3183,6 +3342,7 @@ provide the function which returns information about the arguments.
+@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
  @comment printf.h
  @comment GNU
  @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
@@ -750,7 +786,7 @@ index 3f9be9bc5..7809dd4 100644
  This function will return in @var{argtypes} the information about the
  used parameters in the way the @code{vfprintf} implementation expects
  it.  The format always takes one argument.
-@@ -3799,6 +3959,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
+@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int scanf (const char *@var{template}, @dots{})
@@ -758,7 +794,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{scanf} function reads formatted input from the stream
  @code{stdin} under the control of the template string @var{template}.
  The optional arguments are pointers to the places which receive the
-@@ -3813,6 +3974,7 @@ template, then @code{EOF} is returned.
+@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
  @comment wchar.h
  @comment ISO
  @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
@@ -766,7 +802,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{wscanf} function reads formatted input from the stream
  @code{stdin} under the control of the template string @var{template}.
  The optional arguments are pointers to the places which receive the
-@@ -3827,6 +3989,7 @@ template, then @code{WEOF} is returned.
+@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
  @comment stdio.h
  @comment ISO
  @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
@@ -774,7 +810,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is just like @code{scanf}, except that the input is read
  from the stream @var{stream} instead of @code{stdin}.
  @end deftypefun
-@@ -3834,6 +3997,7 @@ from the stream @var{stream} instead of @code{stdin}.
+@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
  @comment wchar.h
  @comment ISO
  @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
@@ -782,7 +818,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is just like @code{wscanf}, except that the input is read
  from the stream @var{stream} instead of @code{stdin}.
  @end deftypefun
-@@ -3841,6 +4005,7 @@ from the stream @var{stream} instead of @code{stdin}.
+@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
  @comment stdio.h
  @comment ISO
  @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
@@ -790,7 +826,7 @@ index 3f9be9bc5..7809dd4 100644
  This is like @code{scanf}, except that the characters are taken from the
  null-terminated string @var{s} instead of from a stream.  Reaching the
  end of the string is treated as an end-of-file condition.
-@@ -3854,6 +4019,7 @@ as an argument to receive a string read under control of the @samp{%s},
+@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
  @comment wchar.h
  @comment ISO
  @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
@@ -798,7 +834,7 @@ index 3f9be9bc5..7809dd4 100644
  This is like @code{wscanf}, except that the characters are taken from the
  null-terminated string @var{ws} instead of from a stream.  Reaching the
  end of the string is treated as an end-of-file condition.
-@@ -3880,6 +4046,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
+@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
  @comment stdio.h
  @comment ISO
  @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
@@ -806,7 +842,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is similar to @code{scanf}, but instead of taking
  a variable number of arguments directly, it takes an argument list
  pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
-@@ -3888,6 +4055,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
+@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
  @comment wchar.h
  @comment ISO
  @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
@@ -814,7 +850,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is similar to @code{wscanf}, but instead of taking
  a variable number of arguments directly, it takes an argument list
  pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
-@@ -3896,6 +4064,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
+@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
  @comment stdio.h
  @comment ISO
  @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
@@ -822,7 +858,7 @@ index 3f9be9bc5..7809dd4 100644
  This is the equivalent of @code{fscanf} with the variable argument list
  specified directly as for @code{vscanf}.
  @end deftypefun
-@@ -3903,6 +4072,7 @@ specified directly as for @code{vscanf}.
+@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
  @comment wchar.h
  @comment ISO
  @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
@@ -830,7 +866,7 @@ index 3f9be9bc5..7809dd4 100644
  This is the equivalent of @code{fwscanf} with the variable argument list
  specified directly as for @code{vwscanf}.
  @end deftypefun
-@@ -3910,6 +4080,7 @@ specified directly as for @code{vwscanf}.
+@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
  @comment stdio.h
  @comment ISO
  @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
@@ -838,7 +874,7 @@ index 3f9be9bc5..7809dd4 100644
  This is the equivalent of @code{sscanf} with the variable argument list
  specified directly as for @code{vscanf}.
  @end deftypefun
-@@ -3917,6 +4088,7 @@ specified directly as for @code{vscanf}.
+@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
  @comment wchar.h
  @comment ISO
  @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
@@ -846,7 +882,7 @@ index 3f9be9bc5..7809dd4 100644
  This is the equivalent of @code{swscanf} with the variable argument list
  specified directly as for @code{vwscanf}.
  @end deftypefun
-@@ -3966,6 +4138,7 @@ This symbol is declared in @file{wchar.h}.
+@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int feof (FILE *@var{stream})
@@ -854,7 +890,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{feof} function returns nonzero if and only if the end-of-file
  indicator for the stream @var{stream} is set.
  
-@@ -3975,6 +4148,9 @@ This symbol is declared in @file{stdio.h}.
+@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
  @comment stdio.h
  @comment GNU
  @deftypefun int feof_unlocked (FILE *@var{stream})
@@ -864,7 +900,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{feof_unlocked} function is equivalent to the @code{feof}
  function except that it does not implicitly lock the stream.
  
-@@ -3986,6 +4162,7 @@ This symbol is declared in @file{stdio.h}.
+@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int ferror (FILE *@var{stream})
@@ -872,7 +908,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{ferror} function returns nonzero if and only if the error
  indicator for the stream @var{stream} is set, indicating that an error
  has occurred on a previous operation on the stream.
-@@ -3996,6 +4173,7 @@ This symbol is declared in @file{stdio.h}.
+@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
  @comment stdio.h
  @comment GNU
  @deftypefun int ferror_unlocked (FILE *@var{stream})
@@ -880,7 +916,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{ferror_unlocked} function is equivalent to the @code{ferror}
  function except that it does not implicitly lock the stream.
  
-@@ -4023,6 +4201,7 @@ function.
+@@ -4023,6 +4237,7 @@ function.
  @comment stdio.h
  @comment ISO
  @deftypefun void clearerr (FILE *@var{stream})
@@ -888,7 +924,7 @@ index 3f9be9bc5..7809dd4 100644
  This function clears the end-of-file and error indicators for the
  stream @var{stream}.
  
-@@ -4033,6 +4212,7 @@ end-of-file indicator for the stream.
+@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
  @comment stdio.h
  @comment GNU
  @deftypefun void clearerr_unlocked (FILE *@var{stream})
@@ -896,7 +932,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
  function except that it does not implicitly lock the stream.
  
-@@ -4146,6 +4326,7 @@ are declared in the header file @file{stdio.h}.
+@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun {long int} ftell (FILE *@var{stream})
@@ -904,7 +940,7 @@ index 3f9be9bc5..7809dd4 100644
  This function returns the current file position of the stream
  @var{stream}.
  
-@@ -4158,6 +4339,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
+@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
  @comment stdio.h
  @comment Unix98
  @deftypefun off_t ftello (FILE *@var{stream})
@@ -912,7 +948,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{ftello} function is similar to @code{ftell}, except that it
  returns a value of type @code{off_t}.  Systems which support this type
  use it to describe all file positions, unlike the POSIX specification
-@@ -4181,6 +4363,7 @@ LFS interface transparently replaces the old interface.
+@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
  @comment stdio.h
  @comment Unix98
  @deftypefun off64_t ftello64 (FILE *@var{stream})
@@ -920,7 +956,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is similar to @code{ftello} with the only difference that
  the return value is of type @code{off64_t}.  This also requires that the
  stream @var{stream} was opened using either @code{fopen64},
-@@ -4196,6 +4379,7 @@ and so transparently replaces the old interface.
+@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
  @comment stdio.h
  @comment ISO
  @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
@@ -928,7 +964,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{fseek} function is used to change the file position of the
  stream @var{stream}.  The value of @var{whence} must be one of the
  constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
-@@ -4215,6 +4399,7 @@ place in the file.
+@@ -4215,6 +4435,7 @@ place in the file.
  @comment stdio.h
  @comment Unix98
  @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
@@ -936,7 +972,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is similar to @code{fseek} but it corrects a problem with
  @code{fseek} in a system with POSIX types.  Using a value of type
  @code{long int} for the offset is not compatible with POSIX.
-@@ -4238,6 +4423,7 @@ LFS interface transparently replaces the old interface.
+@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
  @comment stdio.h
  @comment Unix98
  @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
@@ -944,7 +980,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is similar to @code{fseeko} with the only difference that
  the @var{offset} parameter is of type @code{off64_t}.  This also
  requires that the stream @var{stream} was opened using either
-@@ -4286,6 +4472,7 @@ the offset provided is relative to the end of the file.
+@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
  @comment stdio.h
  @comment ISO
  @deftypefun void rewind (FILE *@var{stream})
@@ -952,7 +988,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{rewind} function positions the stream @var{stream} at the
  beginning of the file.  It is equivalent to calling @code{fseek} or
  @code{fseeko} on the @var{stream} with an @var{offset} argument of
-@@ -4407,6 +4594,7 @@ representation.
+@@ -4407,6 +4630,7 @@ representation.
  @comment stdio.h
  @comment ISO
  @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
@@ -960,7 +996,7 @@ index 3f9be9bc5..7809dd4 100644
  This function stores the value of the file position indicator for the
  stream @var{stream} in the @code{fpos_t} object pointed to by
  @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
-@@ -4421,6 +4609,7 @@ interface transparently replaces the old interface.
+@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
  @comment stdio.h
  @comment Unix98
  @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
@@ -968,7 +1004,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is similar to @code{fgetpos} but the file position is
  returned in a variable of type @code{fpos64_t} to which @var{position}
  points.
-@@ -4433,6 +4622,7 @@ and so transparently replaces the old interface.
+@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
  @comment stdio.h
  @comment ISO
  @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
@@ -976,7 +1012,7 @@ index 3f9be9bc5..7809dd4 100644
  This function sets the file position indicator for the stream @var{stream}
  to the position @var{position}, which must have been set by a previous
  call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
-@@ -4449,6 +4639,7 @@ interface transparently replaces the old interface.
+@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
  @comment stdio.h
  @comment Unix98
  @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
@@ -984,7 +1020,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is similar to @code{fsetpos} but the file position used
  for positioning is provided in a variable of type @code{fpos64_t} to
  which @var{position} points.
-@@ -4560,6 +4751,7 @@ If you want to flush the buffered output at another time, call
+@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
  @comment stdio.h
  @comment ISO
  @deftypefun int fflush (FILE *@var{stream})
@@ -992,7 +1028,7 @@ index 3f9be9bc5..7809dd4 100644
  This function causes any buffered output on @var{stream} to be delivered
  to the file.  If @var{stream} is a null pointer, then
  @code{fflush} causes buffered output on @emph{all} open output streams
-@@ -4572,6 +4764,7 @@ otherwise.
+@@ -4572,6 +4800,7 @@ otherwise.
  @comment stdio.h
  @comment POSIX
  @deftypefun int fflush_unlocked (FILE *@var{stream})
@@ -1000,7 +1036,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{fflush_unlocked} function is equivalent to the @code{fflush}
  function except that it does not implicitly lock the stream.
  @end deftypefun
-@@ -4588,6 +4781,7 @@ exported.
+@@ -4588,6 +4817,7 @@ exported.
  @comment stdio_ext.h
  @comment GNU
  @deftypefun void _flushlbf (void)
@@ -1008,7 +1044,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{_flushlbf} function flushes all line buffered streams
  currently opened.
  
-@@ -4609,6 +4803,7 @@ situation a non-standard function introduced in Solaris and available in
+@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
  @comment stdio_ext.h
  @comment GNU
  @deftypefun void __fpurge (FILE *@var{stream})
@@ -1016,7 +1052,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{__fpurge} function causes the buffer of the stream
  @var{stream} to be emptied.  If the stream is currently in read mode all
  input in the buffer is lost.  If the stream is in output mode the
-@@ -4633,6 +4828,7 @@ file @file{stdio.h}.
+@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
  @comment stdio.h
  @comment ISO
  @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
@@ -1024,7 +1060,7 @@ index 3f9be9bc5..7809dd4 100644
  This function is used to specify that the stream @var{stream} should
  have the buffering mode @var{mode}, which can be either @code{_IOFBF}
  (for full buffering), @code{_IOLBF} (for line buffering), or
-@@ -4710,6 +4906,7 @@ efficient size.
+@@ -4710,6 +4942,7 @@ efficient size.
  @comment stdio.h
  @comment ISO
  @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
@@ -1032,7 +1068,7 @@ index 3f9be9bc5..7809dd4 100644
  If @var{buf} is a null pointer, the effect of this function is
  equivalent to calling @code{setvbuf} with a @var{mode} argument of
  @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
-@@ -4723,6 +4920,7 @@ use @code{setvbuf} in all new programs.
+@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
  @comment stdio.h
  @comment BSD
  @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
@@ -1040,7 +1076,7 @@ index 3f9be9bc5..7809dd4 100644
  If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
  Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
  buffer.  The @var{size} argument specifies the length of @var{buf}.
-@@ -4734,6 +4932,7 @@ This function is provided for compatibility with old BSD code.  Use
+@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
  @comment stdio.h
  @comment BSD
  @deftypefun void setlinebuf (FILE *@var{stream})
@@ -1048,7 +1084,7 @@ index 3f9be9bc5..7809dd4 100644
  This function makes @var{stream} be line buffered, and allocates the
  buffer for you.
  
-@@ -4748,6 +4947,7 @@ using a non-standard function introduced in Solaris and available in
+@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
  @comment stdio_ext.h
  @comment GNU
  @deftypefun int __flbf (FILE *@var{stream})
@@ -1056,7 +1092,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{__flbf} function will return a nonzero value in case the
  stream @var{stream} is line buffered.  Otherwise the return value is
  zero.
-@@ -4761,6 +4961,7 @@ much of it is used.  These functions were also introduced in Solaris.
+@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
  @comment stdio_ext.h
  @comment GNU
  @deftypefun size_t __fbufsize (FILE *@var{stream})
@@ -1064,7 +1100,7 @@ index 3f9be9bc5..7809dd4 100644
  The @code{__fbufsize} function return the size of the buffer in the
  stream @var{stream}.  This value can be used to optimize the use of the
  stream.
-@@ -4771,6 +4972,7 @@ This function is declared in the @file{stdio_ext.h} header.
+@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
  @comment stdio_ext.h
  @comment GNU
  @deftypefun size_t __fpending (FILE *@var{stream})
@@ -1072,34 +1108,34 @@ index 3f9be9bc5..7809dd4 100644
  The @code{__fpending}
  function returns the number of bytes currently in the output buffer.
  For wide-oriented stream the measuring unit is wide characters.  This
-@@ -4818,6 +5020,10 @@ I/O to a string or memory buffer.  These facilities are declared in
+@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
  @comment stdio.h
  @comment GNU
  @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
-+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
 +@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
 +@c bringing with it additional potential for async trouble with
 +@c list_all_lock.
  This function opens a stream that allows the access specified by the
  @var{opentype} argument, that reads from or writes to the buffer specified
  by the argument @var{buf}.  This array must be at least @var{size} bytes long.
-@@ -4870,6 +5076,7 @@ Got r
+@@ -4870,6 +5112,7 @@ Got r
  @comment stdio.h
  @comment GNU
  @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
-+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
  This function opens a stream for writing to a buffer.  The buffer is
  allocated dynamically and grown as necessary, using @code{malloc}.
  After you've closed the stream, this buffer is your responsibility to
-@@ -4985,6 +5192,7 @@ closed.
+@@ -4985,6 +5228,7 @@ closed.
  @comment stdio.h
  @comment GNU
  @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
-+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
  This function actually creates the stream for communicating with the
  @var{cookie} using the functions in the @var{io-functions} argument.
  The @var{opentype} argument is interpreted as for @code{fopen};
-@@ -5166,6 +5374,7 @@ It is a non-recoverable error.
+@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
  @comment fmtmsg.h
  @comment XPG
  @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
@@ -1107,7 +1143,7 @@ index 3f9be9bc5..7809dd4 100644
  Display a message described by its parameters on the device(s) specified
  in the @var{classification} parameter.  The @var{label} parameter
  identifies the source of the message.  The string should consist of two
-@@ -5306,6 +5515,7 @@ introducing new classes in a running program.  One could use the
+@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
  but this is toilsome.
  
  @deftypefun int addseverity (int @var{severity}, const char *@var{string})
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index fe070cb..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,110 +0,0 @@
-Bottom: e7e01aad2f34ba561dd0a0744ce4b8cd012180c4
-Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:12:52 -0300
-
-Refresh of manual-document-mt-safety-stdio.patch
-
----
-
-diff --git a/manual/stdio.texi b/manual/stdio.texi
-index 7809dd4..79a3340 100644
---- a/manual/stdio.texi
-+++ b/manual/stdio.texi
-@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
- @comment stdio.h
- @comment ISO
- @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
- @c fopen may leak the list lock if cancelled within _IO_link_in.
- The @code{fopen} function opens a stream for I/O to the file
- @var{filename}, and returns a pointer to the stream.
-@@ -267,7 +267,7 @@ Locks}.
- @comment stdio.h
- @comment Unix98
- @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
- This function is similar to @code{fopen} but the stream it returns a
- pointer for is opened using @code{open64}.  Therefore this stream can be
- used even on files larger then @math{2^31} bytes on 32 bit machines.
-@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
- @comment stdio.h
- @comment ISO
- @deftypefun int fclose (FILE *@var{stream})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
- @c After fclose, it is undefined behavior to use the stream it points
- @c to.  Therefore, one must only call fclose when the stream is
- @c otherwise unused.  Concurrent uses started before will complete
-@@ -2662,6 +2662,42 @@ pointer @var{ap}.
- @c case of cancellation.  This doesn't make it unsafe, but cancelling it
- @c may leak memory.  The unguarded use of __printf_function_table is
- @c also of concern for all callers.
-+@c _itoa ok
-+@c   _udiv_qrnnd_preinv ok
-+@c group_number ok
-+@c _i18n_number_rewrite
-+@c   __wctrans ok
-+@c   __towctrans glocale
-+@c   __wcrtomb ok? dup below
-+@c   outdigit_value ok
-+@c   outdigitwc_value ok
-+@c outchar ok
-+@c outstring ok
-+@c PAD ok
-+@c __printf_fp glocale memleak
-+@c __printf_fphex glocale
-+@c __readonly_area
-+@c   [GNU/Linux] fopen, strtoul, free
-+@c __strerror_r ok if no translation, check otherwise
-+@c __btowc ? gconv-modules
-+@c __wcrtomb ok (not using internal state) gconv-modules
-+@c ARGCHECK
-+@c UNBUFFERED_P (tested before taking the stream lock)
-+@c buffered_vfprintf ok
-+@c __find_spec(wc|mb)
-+@c read_int
-+@c __libc_use_alloca
-+@c process_arg
-+@c process_string_arg
-+@c extend_alloca
-+@c __parse_one_spec(wc|mb)
-+@c *__printf_arginfo_table unguarded
-+@c __printf_va_arg_table-> unguarded
-+@c *__printf_function_table unguarded
-+@c done_add
-+@c printf_unknown
-+@c   outchar
-+@c   _itoa_word
- This is the equivalent of @code{fprintf} with the variable argument list
- specified directly as for @code{vprintf}.
- @end deftypefun
-@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
- @comment stdio.h
- @comment GNU
- @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
- @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
- @c bringing with it additional potential for async trouble with
- @c list_all_lock.
-@@ -5076,7 +5112,7 @@ Got r
- @comment stdio.h
- @comment GNU
- @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
--@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
- This function opens a stream for writing to a buffer.  The buffer is
- allocated dynamically and grown as necessary, using @code{malloc}.
- After you've closed the stream, this buffer is your responsibility to
-@@ -5192,7 +5228,7 @@ closed.
- @comment stdio.h
- @comment GNU
- @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
--@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
- This function actually creates the stream for communicating with the
- @var{cookie} using the functions in the @var{io-functions} argument.
- The @var{opentype} argument is interpreted as for @code{fopen};

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7813e945b628c7ad8a53e4e1e9f8c9bcdcbba26a

commit 7813e945b628c7ad8a53e4e1e9f8c9bcdcbba26a
Merge: 233a8e5 fe734e3 46dbc4b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:53 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=233a8e5787e22d033aa1530a55a3b1f4dc5769b5

commit 233a8e5787e22d033aa1530a55a3b1f4dc5769b5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:53 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index b6b4736..62198e1 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 0d1caeb5637d1e9380fd955561a0f2d69bd78f12
-Head: 4317964c441ce5286d9d38d49a63be64118cf356
+Previous: 46dbc4b516036ae274f7ad8e4b90fbe8547d40e4
+Head: fe734e3c4e47da61876a28df92f216ffe7f91900
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -25,6 +25,7 @@ Applied:
   manual-document-mt-safety-search.patch: 72885eef5a5c94642ef40c16b2838f314908e7da
   wip-manual-document-mt-safety-startup.patch: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
   manual-document-mt-safety-stdio.patch: 4317964c441ce5286d9d38d49a63be64118cf356
+  refresh-temp: fe734e3c4e47da61876a28df92f216ffe7f91900
 Unapplied:
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..fe070cb
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,110 @@
+Bottom: e7e01aad2f34ba561dd0a0744ce4b8cd012180c4
+Top:    3db5dacd3a8c55bbd9c4924b1ac2ec9a35d2d732
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:12:52 -0300
+
+Refresh of manual-document-mt-safety-stdio.patch
+
+---
+
+diff --git a/manual/stdio.texi b/manual/stdio.texi
+index 7809dd4..79a3340 100644
+--- a/manual/stdio.texi
++++ b/manual/stdio.texi
+@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+ @c fopen may leak the list lock if cancelled within _IO_link_in.
+ The @code{fopen} function opens a stream for I/O to the file
+ @var{filename}, and returns a pointer to the stream.
+@@ -267,7 +267,7 @@ Locks}.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
+ This function is similar to @code{fopen} but the stream it returns a
+ pointer for is opened using @code{open64}.  Therefore this stream can be
+ used even on files larger then @math{2^31} bytes on 32 bit machines.
+@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fclose (FILE *@var{stream})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+ @c After fclose, it is undefined behavior to use the stream it points
+ @c to.  Therefore, one must only call fclose when the stream is
+ @c otherwise unused.  Concurrent uses started before will complete
+@@ -2662,6 +2662,42 @@ pointer @var{ap}.
+ @c case of cancellation.  This doesn't make it unsafe, but cancelling it
+ @c may leak memory.  The unguarded use of __printf_function_table is
+ @c also of concern for all callers.
++@c _itoa ok
++@c   _udiv_qrnnd_preinv ok
++@c group_number ok
++@c _i18n_number_rewrite
++@c   __wctrans ok
++@c   __towctrans glocale
++@c   __wcrtomb ok? dup below
++@c   outdigit_value ok
++@c   outdigitwc_value ok
++@c outchar ok
++@c outstring ok
++@c PAD ok
++@c __printf_fp glocale memleak
++@c __printf_fphex glocale
++@c __readonly_area
++@c   [GNU/Linux] fopen, strtoul, free
++@c __strerror_r ok if no translation, check otherwise
++@c __btowc ? gconv-modules
++@c __wcrtomb ok (not using internal state) gconv-modules
++@c ARGCHECK
++@c UNBUFFERED_P (tested before taking the stream lock)
++@c buffered_vfprintf ok
++@c __find_spec(wc|mb)
++@c read_int
++@c __libc_use_alloca
++@c process_arg
++@c process_string_arg
++@c extend_alloca
++@c __parse_one_spec(wc|mb)
++@c *__printf_arginfo_table unguarded
++@c __printf_va_arg_table-> unguarded
++@c *__printf_function_table unguarded
++@c done_add
++@c printf_unknown
++@c   outchar
++@c   _itoa_word
+ This is the equivalent of @code{fprintf} with the variable argument list
+ specified directly as for @code{vprintf}.
+ @end deftypefun
+@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+ @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+ @c bringing with it additional potential for async trouble with
+ @c list_all_lock.
+@@ -5076,7 +5112,7 @@ Got r
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+-@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
+ This function opens a stream for writing to a buffer.  The buffer is
+ allocated dynamically and grown as necessary, using @code{malloc}.
+ After you've closed the stream, this buffer is your responsibility to
+@@ -5192,7 +5228,7 @@ closed.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+ This function actually creates the stream for communicating with the
+ @var{cookie} using the functions in the @var{io-functions} argument.
+ The @var{opentype} argument is interpreted as for @code{fopen};

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fe734e3c4e47da61876a28df92f216ffe7f91900

commit fe734e3c4e47da61876a28df92f216ffe7f91900
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:52 2013 -0300

    Refresh of manual-document-mt-safety-stdio.patch

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 7809dd4..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 @c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
@@ -267,7 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
 @c After fclose, it is undefined behavior to use the stream it points
 @c to.  Therefore, one must only call fclose when the stream is
 @c otherwise unused.  Concurrent uses started before will complete
@@ -2662,6 +2662,42 @@ pointer @var{ap}.
 @c case of cancellation.  This doesn't make it unsafe, but cancelling it
 @c may leak memory.  The unguarded use of __printf_function_table is
 @c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
 @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
 @c bringing with it additional potential for async trouble with
 @c list_all_lock.
@@ -5076,7 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
-@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -5192,7 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=46dbc4b516036ae274f7ad8e4b90fbe8547d40e4

commit 46dbc4b516036ae274f7ad8e4b90fbe8547d40e4
Merge: 65240fd 0d1caeb 4317964
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:39 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0

commit b6c3b59f2ddf6ed9a14018f69daf993e2eaf27c0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,48 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2705,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2713,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2721,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2729,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2737,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2745,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2821,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3062,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3314,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3378,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3995,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +4010,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +4025,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +4033,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4041,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4055,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4082,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4091,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4100,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4108,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4116,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4124,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4174,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4184,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4198,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4209,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4237,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4248,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4362,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4375,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4399,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4415,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4435,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4459,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4508,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4630,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4645,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4658,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4675,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4787,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4800,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4817,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4839,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4864,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4942,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4956,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4968,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4983,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4997,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +5008,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5056,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5410,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5551,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=65240fd3a07048cfe76d16227b6e441df5380da3

commit 65240fd3a07048cfe76d16227b6e441df5380da3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:38 2013 -0300

    push

diff --git a/meta b/meta
index b562e1a..b6b4736 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 028f564b87a1b5e768093944d82e91ae2d4a1a40
-Head: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
+Previous: 0d1caeb5637d1e9380fd955561a0f2d69bd78f12
+Head: 4317964c441ce5286d9d38d49a63be64118cf356
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -24,7 +24,7 @@ Applied:
   manual-document-mt-safety-resource.patch: 5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d
   manual-document-mt-safety-search.patch: 72885eef5a5c94642ef40c16b2838f314908e7da
   wip-manual-document-mt-safety-startup.patch: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
+  manual-document-mt-safety-stdio.patch: 4317964c441ce5286d9d38d49a63be64118cf356
 Unapplied:
-  manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index ad86e9d..373e2ca 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 18760d732995b8379bc372377398a8fd58732762
-Top:    f75097e48123219d68b9307cd827515c123cf0b8
+Bottom: 195f80ed20d8cfa61af3b5629d405de8be7b40fc
+Top:    e7e01aad2f34ba561dd0a0744ce4b8cd012180c4
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4317964c441ce5286d9d38d49a63be64118cf356

commit 4317964c441ce5286d9d38d49a63be64118cf356
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..7809dd4 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,12 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2669,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2677,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2685,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2693,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2701,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2709,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2785,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3026,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3278,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3342,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3959,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +3974,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +3989,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +3997,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4005,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4019,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4046,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4055,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4064,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4072,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4080,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4088,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4138,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4148,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4162,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4173,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4201,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4212,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4326,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4339,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4363,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4379,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4399,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4423,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4472,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4594,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4609,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4622,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4639,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4751,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4764,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4781,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4803,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4828,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4906,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4920,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4932,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4947,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4961,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +4972,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5020,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5076,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5192,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5374,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5515,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0d1caeb5637d1e9380fd955561a0f2d69bd78f12

commit 0d1caeb5637d1e9380fd955561a0f2d69bd78f12
Merge: df90f63 028f564 eefb3a2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:29 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=df90f634c259e2a8958e078880b8a10b76e8b50d

commit df90f634c259e2a8958e078880b8a10b76e8b50d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:29 2013 -0300

    import

diff --git a/meta b/meta
index ff7e84d..b562e1a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 6d76ef68923238530b5af925972ec25e07f09f2a
-Head: 72885eef5a5c94642ef40c16b2838f314908e7da
+Previous: 028f564b87a1b5e768093944d82e91ae2d4a1a40
+Head: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -23,6 +23,7 @@ Applied:
   manual-document-mt-safety-math.patch: d3dde95c92ff8c7cd8e225a21b46c00449db834d
   manual-document-mt-safety-resource.patch: 5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d
   manual-document-mt-safety-search.patch: 72885eef5a5c94642ef40c16b2838f314908e7da
+  wip-manual-document-mt-safety-startup.patch: eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
diff --git a/patches/wip-manual-document-mt-safety-startup.patch b/patches/wip-manual-document-mt-safety-startup.patch
new file mode 100644
index 0000000..cd2fcf0
--- /dev/null
+++ b/patches/wip-manual-document-mt-safety-startup.patch
@@ -0,0 +1,28 @@
+Bottom: 8ae75524ca0a1176e4323c74b73cb0722e710364
+Top:    195f80ed20d8cfa61af3b5629d405de8be7b40fc
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:12:28 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/startup.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/startup.texi b/manual/startup.texi
+index a277714..7bbaf13 100644
+--- a/manual/startup.texi
++++ b/manual/startup.texi
+@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
+ The difference to the @code{setenv} function is that the exact string
+ given as the parameter @var{string} is put into the environment.  If the
+ user should change the string after the @code{putenv} call this will
+-reflect in automatically in the environment.  This also requires that
+-@var{string} is no automatic variable which scope is left before the
++reflect automatically in the environment.  This also requires that
++@var{string} not be an automatic variable whose scope is left before the
+ variable is removed from the environment.  The same applies of course to
+ dynamically allocated variables which are freed later.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=eefb3a2e2f3449ada4e40429f0283ac79a5e3fec

commit eefb3a2e2f3449ada4e40429f0283ac79a5e3fec
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:12:28 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/startup.texi: Document thread safety properties.

diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=028f564b87a1b5e768093944d82e91ae2d4a1a40

commit 028f564b87a1b5e768093944d82e91ae2d4a1a40
Merge: 16ee509 72885ee 6d76ef6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:56 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=16ee5093c8a53d58dadae44624f15e244e6d4187

commit 16ee5093c8a53d58dadae44624f15e244e6d4187
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:56 2013 -0300

    import

diff --git a/meta b/meta
index 73e1f9c..ff7e84d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 1cf411981bae299f53e7cbd67aefd378561e3be0
-Head: 5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d
+Previous: 6d76ef68923238530b5af925972ec25e07f09f2a
+Head: 72885eef5a5c94642ef40c16b2838f314908e7da
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -22,6 +22,7 @@ Applied:
   wip-manual-document-mt-safety-locale.patch: 26ea2d6064d2c298f6270e127600518ef48d28cf
   manual-document-mt-safety-math.patch: d3dde95c92ff8c7cd8e225a21b46c00449db834d
   manual-document-mt-safety-resource.patch: 5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d
+  manual-document-mt-safety-search.patch: 72885eef5a5c94642ef40c16b2838f314908e7da
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
diff --git a/patches/manual-document-mt-safety-search.patch b/patches/manual-document-mt-safety-search.patch
new file mode 100644
index 0000000..fb52bb3
--- /dev/null
+++ b/patches/manual-document-mt-safety-search.patch
@@ -0,0 +1,70 @@
+Bottom: e27f818dd7517eeba6c572017e1d77241113d456
+Top:    8ae75524ca0a1176e4323c74b73cb0722e710364
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:11:55 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/search.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/search.texi b/manual/search.texi
+index efd3604..6910edc 100644
+--- a/manual/search.texi
++++ b/manual/search.texi
+@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
++@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
+ The @var{qsort} function sorts the array @var{array}.  The array contains
+ @var{count} elements, each of which is of size @var{size}.
+ 
+@@ -436,6 +437,11 @@ in the header file @file{search.h}.
+ @comment search.h
+ @comment SVID
+ @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
++@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
++@c The tree is not modified in a thread-safe manner, and rotations may
++@c leave the tree in an inconsistent state that could be observed in an
++@c asynchronous signal handler or after asynchronous cancellation of the
++@c thread performing the rotation or the insertion.
+ The @code{tsearch} function searches in the tree pointed to by
+ @code{*@var{rootp}} for an element matching @var{key}.  The function
+ pointed to by @var{compar} is used to determine whether two elements
+@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
+ @comment search.h
+ @comment SVID
+ @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+ The @code{tfind} function is similar to the @code{tsearch} function.  It
+ locates an element matching the one pointed to by @var{key} and returns
+ a pointer to this element.  But if no matching element is available no
+@@ -479,6 +486,7 @@ elements.
+ @comment search.h
+ @comment SVID
+ @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
++@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+ To remove a specific element matching @var{key} from the tree
+ @code{tdelete} can be used.  It locates the matching element using the
+ same method as @code{tfind}.  The corresponding element is then removed
+@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
+ @comment search.h
+ @comment GNU
+ @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
++@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+ If the complete search tree has to be removed one can use
+ @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
+ function to generate the tree pointed to by @var{vroot}.
+@@ -546,6 +555,7 @@ The current node is a leaf.
+ @comment search.h
+ @comment SVID
+ @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
++@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
+ For each node in the tree with a node pointed to by @var{root}, the
+ @code{twalk} function calls the function provided by the parameter
+ @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=72885eef5a5c94642ef40c16b2838f314908e7da

commit 72885eef5a5c94642ef40c16b2838f314908e7da
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:55 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/search.texi: Document thread safety properties.

diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6d76ef68923238530b5af925972ec25e07f09f2a

commit 6d76ef68923238530b5af925972ec25e07f09f2a
Merge: b497c49 5d3bcb1 1cf4119
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:18 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b497c49e52aaedc3cf7cbf5c68ddfee03482e6c7

commit b497c49e52aaedc3cf7cbf5c68ddfee03482e6c7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:18 2013 -0300

    push

diff --git a/meta b/meta
index c5eca2a..73e1f9c 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: a7ee668dad2fe9eff02944d144e0563e8010b56f
-Head: d3dde95c92ff8c7cd8e225a21b46c00449db834d
+Previous: 1cf411981bae299f53e7cbd67aefd378561e3be0
+Head: 5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -21,8 +21,8 @@ Applied:
   manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
   wip-manual-document-mt-safety-locale.patch: 26ea2d6064d2c298f6270e127600518ef48d28cf
   manual-document-mt-safety-math.patch: d3dde95c92ff8c7cd8e225a21b46c00449db834d
+  manual-document-mt-safety-resource.patch: 5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d
 Unapplied:
-  manual-document-mt-safety-resource.patch: 92b145ac00e9dc2a9143644e5df35d849d789cf1
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/manual-document-mt-safety-resource.patch b/patches/manual-document-mt-safety-resource.patch
index 5b2e192..3fa9fb2 100644
--- a/patches/manual-document-mt-safety-resource.patch
+++ b/patches/manual-document-mt-safety-resource.patch
@@ -1,5 +1,5 @@
-Bottom: 9a5ec672bda784c35e1f86d0f274cdb9e58f217c
-Top:    d713f011ada06fb3801e4032349a8ad88e6bc10c
+Bottom: d5ba9adc90be6728f409ed99bc36a2fc6e659db0
+Top:    e27f818dd7517eeba6c572017e1d77241113d456
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:11:00 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d

commit 5d3bcb1ba7f570bffb709e724d0f7b7f7c54af6d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1cf411981bae299f53e7cbd67aefd378561e3be0

commit 1cf411981bae299f53e7cbd67aefd378561e3be0
Merge: 0143f21 d3dde95 a7ee668
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:14 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0143f2179b4146932a210ef1eebd3a4d604ebf4b

commit 0143f2179b4146932a210ef1eebd3a4d604ebf4b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:14 2013 -0300

    float

diff --git a/meta b/meta
index 9f55f60..c5eca2a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: daf305833c7d056c5fdee51b490cefaf60d5b417
-Head: 26ea2d6064d2c298f6270e127600518ef48d28cf
+Previous: a7ee668dad2fe9eff02944d144e0563e8010b56f
+Head: d3dde95c92ff8c7cd8e225a21b46c00449db834d
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -20,9 +20,9 @@ Applied:
   manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
   manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
   wip-manual-document-mt-safety-locale.patch: 26ea2d6064d2c298f6270e127600518ef48d28cf
+  manual-document-mt-safety-math.patch: d3dde95c92ff8c7cd8e225a21b46c00449db834d
 Unapplied:
   manual-document-mt-safety-resource.patch: 92b145ac00e9dc2a9143644e5df35d849d789cf1
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
-  manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index 336844e..66820ca 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: 3b40240eced54a0f63e844f5354c9ab2106ba9d3
-Top:    edfbd2bf9a8a7592b48fc6ddfd6dd6a196355d21
+Bottom: 9a5ec672bda784c35e1f86d0f274cdb9e58f217c
+Top:    d5ba9adc90be6728f409ed99bc36a2fc6e659db0
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d3dde95c92ff8c7cd8e225a21b46c00449db834d

commit d3dde95c92ff8c7cd8e225a21b46c00449db834d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a7ee668dad2fe9eff02944d144e0563e8010b56f

commit a7ee668dad2fe9eff02944d144e0563e8010b56f
Merge: 46fa156 daf3058
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:10 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=46fa15640d7c007544f208000ef5ffc74fada4fb

commit 46fa15640d7c007544f208000ef5ffc74fada4fb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:10 2013 -0300

    pop

diff --git a/meta b/meta
index afd5834..9f55f60 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 5ea127b745d4510b2dd3d381784775ebcfb495c1
-Head: 92b145ac00e9dc2a9143644e5df35d849d789cf1
+Previous: daf305833c7d056c5fdee51b490cefaf60d5b417
+Head: 26ea2d6064d2c298f6270e127600518ef48d28cf
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -20,8 +20,8 @@ Applied:
   manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
   manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
   wip-manual-document-mt-safety-locale.patch: 26ea2d6064d2c298f6270e127600518ef48d28cf
-  manual-document-mt-safety-resource.patch: 92b145ac00e9dc2a9143644e5df35d849d789cf1
 Unapplied:
+  manual-document-mt-safety-resource.patch: 92b145ac00e9dc2a9143644e5df35d849d789cf1
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=daf305833c7d056c5fdee51b490cefaf60d5b417

commit daf305833c7d056c5fdee51b490cefaf60d5b417
Merge: eab9e78 5ea127b 92b145a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=eab9e7849544510e21f3b4aa25d1d6956cfbba9c

commit eab9e7849544510e21f3b4aa25d1d6956cfbba9c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    import

diff --git a/meta b/meta
index 9b76d00..afd5834 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: d31f4f30b9ed6d8c6101ceb14f8586a37d97d0e7
-Head: 26ea2d6064d2c298f6270e127600518ef48d28cf
+Previous: 5ea127b745d4510b2dd3d381784775ebcfb495c1
+Head: 92b145ac00e9dc2a9143644e5df35d849d789cf1
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -20,6 +20,7 @@ Applied:
   manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
   manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
   wip-manual-document-mt-safety-locale.patch: 26ea2d6064d2c298f6270e127600518ef48d28cf
+  manual-document-mt-safety-resource.patch: 92b145ac00e9dc2a9143644e5df35d849d789cf1
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e
diff --git a/patches/manual-document-mt-safety-resource.patch b/patches/manual-document-mt-safety-resource.patch
new file mode 100644
index 0000000..5b2e192
--- /dev/null
+++ b/patches/manual-document-mt-safety-resource.patch
@@ -0,0 +1,83 @@
+Bottom: 9a5ec672bda784c35e1f86d0f274cdb9e58f217c
+Top:    d713f011ada06fb3801e4032349a8ad88e6bc10c
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:11:00 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/resource.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/resource.texi b/manual/resource.texi
+index 1ec7af2..71b08f7 100644
+--- a/manual/resource.texi
++++ b/manual/resource.texi
+@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
+ @comment sys/resource.h
+ @comment BSD
+ @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct syscall on most systems.
+ Read the current and maximum limits for the resource @var{resource}
+ and store them in @code{*@var{rlp}}.
+ 
+@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
+ @comment sys/resource.h
+ @comment Unix98
+ @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
+ This function is similar to @code{getrlimit} but its second parameter is
+ a pointer to a variable of type @code{struct rlimit64}, which allows it
+ to read values which wouldn't fit in the member of a @code{struct
+@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int getpagesize (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
++@c the exception, with the possibility of a syscall.
+ The @code{getpagesize} function returns the page size of the process.
+ This value is fixed for the runtime of the process but can vary in
+ different runs of the application.
+@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
+ @comment sys/sysinfo.h
+ @comment GNU
+ @deftypefun {long int} get_phys_pages (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
++@c This fopens a /proc file and scans it for the requested information.
+ The @code{get_phys_pages} function returns the total number of pages of
+ physical the system has.  To get the amount of memory this number has to
+ be multiplied by the page size.
+@@ -1569,6 +1578,7 @@ This function is a GNU extension.
+ @comment sys/sysinfo.h
+ @comment GNU
+ @deftypefun {long int} get_avphys_pages (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+ The @code{get_phys_pages} function returns the number of available pages of
+ physical the system has.  To get the amount of memory this number has to
+ be multiplied by the page size.
+@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
+ @comment sys/sysinfo.h
+ @comment GNU
+ @deftypefun int get_nprocs_conf (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
++@c This function reads from from /sys using dir streams (single user, so
++@c no staticbuf MT-Safety issue), and on some arches, from /proc using
++@c streams.
+ The @code{get_nprocs_conf} function returns the number of processors the
+ operating system configured.
+ 
+@@ -1623,6 +1637,8 @@ This function is a GNU extension.
+ @comment sys/sysinfo.h
+ @comment GNU
+ @deftypefun int get_nprocs (void)
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
++@c This function reads from /proc using file descriptor I/O.
+ The @code{get_nprocs} function returns the number of available processors.
+ 
+ This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=92b145ac00e9dc2a9143644e5df35d849d789cf1

commit 92b145ac00e9dc2a9143644e5df35d849d789cf1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:11:00 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/resource.texi: Document thread safety properties.

diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5ea127b745d4510b2dd3d381784775ebcfb495c1

commit 5ea127b745d4510b2dd3d381784775ebcfb495c1
Merge: b725d38 d31f4f3 26ea2d6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:10:33 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b725d38d9b1ea0daae2378b3177f8bf6ab49e2fd

commit b725d38d9b1ea0daae2378b3177f8bf6ab49e2fd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:10:33 2013 -0300

    refresh

diff --git a/meta b/meta
index 7c829cd..9b76d00 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7ab19d05f7ab97a9f433fd1b24e1569e06752ddf
-Head: 3c492e4cb73b102004f78143627f4afcb4a941e8
+Previous: d31f4f30b9ed6d8c6101ceb14f8586a37d97d0e7
+Head: 26ea2d6064d2c298f6270e127600518ef48d28cf
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -19,8 +19,7 @@ Applied:
   manual-document-mt-safety-lang.patch: a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
   manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
   manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
-  wip-manual-document-mt-safety-locale.patch: 965b78d1907aee9c2883d16ed9978379e22eccce
-  refresh-temp: 3c492e4cb73b102004f78143627f4afcb4a941e8
+  wip-manual-document-mt-safety-locale.patch: 26ea2d6064d2c298f6270e127600518ef48d28cf
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index d4ce415..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,34 +0,0 @@
-Bottom: 0eeefb1a35224c039dbbaef4f501176743a94c97
-Top:    9a5ec672bda784c35e1f86d0f274cdb9e58f217c
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:10:33 -0300
-
-Refresh of wip-manual-document-mt-safety-locale.patch
-
----
-
-diff --git a/manual/locale.texi b/manual/locale.texi
-index 323268d..da50d18 100644
---- a/manual/locale.texi
-+++ b/manual/locale.texi
-@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
- @comment locale.h
- @comment ISO
- @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
--@safety{@mtunsafe{uunguard}}
--@c This function is MT-Safe, but uses of the global locale object are
--@c unguarded in functions that ought to be MT-Safe, so we're ruling out
--@c the use of this function once threads are started.
-+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
-+@c Uses of the global locale object are unguarded in functions that
-+@c ought to be MT-Safe, so we're ruling out the use of this function
-+@c once threads are started.  It takes a write lock itself, but it may
-+@c return a pointer loaded from the global locale object after releasing
-+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
-+@c and free, and _nl_find_locale, which amount to all documented safety
-+@c issues.  It also calls new_composite_name, setdata, and setname,
-+@c without any additional issues.  _nl_find_locale calls getenv, ...
-+This function returns a pointer read 
- The function @code{setlocale} sets the current locale for category
- @var{category} to @var{locale}.  A list of all the locales the system
- provides can be created by running
diff --git a/patches/wip-manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
index 05f521a..6515b05 100644
--- a/patches/wip-manual-document-mt-safety-locale.patch
+++ b/patches/wip-manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
 Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
-Top:    0eeefb1a35224c039dbbaef4f501176743a94c97
+Top:    9a5ec672bda784c35e1f86d0f274cdb9e58f217c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
@@ -13,17 +13,23 @@ for  ChangeLog
 ---
 
 diff --git a/manual/locale.texi b/manual/locale.texi
-index 2f10fcd..323268d 100644
+index 2f10fcd..da50d18 100644
 --- a/manual/locale.texi
 +++ b/manual/locale.texi
-@@ -224,6 +224,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
+@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
  @comment locale.h
  @comment ISO
  @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
-+@safety{@mtunsafe{uunguard}}
-+@c This function is MT-Safe, but uses of the global locale object are
-+@c unguarded in functions that ought to be MT-Safe, so we're ruling out
-+@c the use of this function once threads are started.
++@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c Uses of the global locale object are unguarded in functions that
++@c ought to be MT-Safe, so we're ruling out the use of this function
++@c once threads are started.  It takes a write lock itself, but it may
++@c return a pointer loaded from the global locale object after releasing
++@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
++@c and free, and _nl_find_locale, which amount to all documented safety
++@c issues.  It also calls new_composite_name, setdata, and setname,
++@c without any additional issues.  _nl_find_locale calls getenv, ...
++This function returns a pointer read 
  The function @code{setlocale} sets the current locale for category
  @var{category} to @var{locale}.  A list of all the locales the system
  provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d31f4f30b9ed6d8c6101ceb14f8586a37d97d0e7

commit d31f4f30b9ed6d8c6101ceb14f8586a37d97d0e7
Merge: bd1c881 7ab19d0 3c492e4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:10:33 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bd1c8815ec1444905bcac77db104b3f50fa7e079

commit bd1c8815ec1444905bcac77db104b3f50fa7e079
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:10:33 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 1425e91..7c829cd 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7a837af0e05b2583166686c9c4318de041c45d60
-Head: 965b78d1907aee9c2883d16ed9978379e22eccce
+Previous: 7ab19d05f7ab97a9f433fd1b24e1569e06752ddf
+Head: 3c492e4cb73b102004f78143627f4afcb4a941e8
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -20,6 +20,7 @@ Applied:
   manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
   manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
   wip-manual-document-mt-safety-locale.patch: 965b78d1907aee9c2883d16ed9978379e22eccce
+  refresh-temp: 3c492e4cb73b102004f78143627f4afcb4a941e8
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..d4ce415
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,34 @@
+Bottom: 0eeefb1a35224c039dbbaef4f501176743a94c97
+Top:    9a5ec672bda784c35e1f86d0f274cdb9e58f217c
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:10:33 -0300
+
+Refresh of wip-manual-document-mt-safety-locale.patch
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index 323268d..da50d18 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @comment locale.h
+ @comment ISO
+ @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+-@safety{@mtunsafe{uunguard}}
+-@c This function is MT-Safe, but uses of the global locale object are
+-@c unguarded in functions that ought to be MT-Safe, so we're ruling out
+-@c the use of this function once threads are started.
++@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c Uses of the global locale object are unguarded in functions that
++@c ought to be MT-Safe, so we're ruling out the use of this function
++@c once threads are started.  It takes a write lock itself, but it may
++@c return a pointer loaded from the global locale object after releasing
++@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
++@c and free, and _nl_find_locale, which amount to all documented safety
++@c issues.  It also calls new_composite_name, setdata, and setname,
++@c without any additional issues.  _nl_find_locale calls getenv, ...
++This function returns a pointer read 
+ The function @code{setlocale} sets the current locale for category
+ @var{category} to @var{locale}.  A list of all the locales the system
+ provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3c492e4cb73b102004f78143627f4afcb4a941e8

commit 3c492e4cb73b102004f78143627f4afcb4a941e8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:10:33 2013 -0300

    Refresh of wip-manual-document-mt-safety-locale.patch

diff --git a/manual/locale.texi b/manual/locale.texi
index 323268d..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
-@safety{@mtunsafe{uunguard}}
-@c This function is MT-Safe, but uses of the global locale object are
-@c unguarded in functions that ought to be MT-Safe, so we're ruling out
-@c the use of this function once threads are started.
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7ab19d05f7ab97a9f433fd1b24e1569e06752ddf

commit 7ab19d05f7ab97a9f433fd1b24e1569e06752ddf
Merge: bfddd8a 7a837af
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:10:13 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bfddd8addf1b08bde28e5e930baf4961581eeb0e

commit bfddd8addf1b08bde28e5e930baf4961581eeb0e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:10:13 2013 -0300

    rename

diff --git a/meta b/meta
index 25c936c..1425e91 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 59ed620f06b93f72d4bfeeffad6efccee52fb9f5
+Previous: 7a837af0e05b2583166686c9c4318de041c45d60
 Head: 965b78d1907aee9c2883d16ed9978379e22eccce
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
@@ -19,7 +19,7 @@ Applied:
   manual-document-mt-safety-lang.patch: a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
   manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
   manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
-  manual-document-mt-safety-locale.patch: 965b78d1907aee9c2883d16ed9978379e22eccce
+  wip-manual-document-mt-safety-locale.patch: 965b78d1907aee9c2883d16ed9978379e22eccce
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e
diff --git a/patches/manual-document-mt-safety-locale.patch b/patches/wip-manual-document-mt-safety-locale.patch
similarity index 100%
rename from patches/manual-document-mt-safety-locale.patch
rename to patches/wip-manual-document-mt-safety-locale.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=26ea2d6064d2c298f6270e127600518ef48d28cf

commit 26ea2d6064d2c298f6270e127600518ef48d28cf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=965b78d1907aee9c2883d16ed9978379e22eccce

commit 965b78d1907aee9c2883d16ed9978379e22eccce
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..323268d 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard}}
+@c This function is MT-Safe, but uses of the global locale object are
+@c unguarded in functions that ought to be MT-Safe, so we're ruling out
+@c the use of this function once threads are started.
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7a837af0e05b2583166686c9c4318de041c45d60

commit 7a837af0e05b2583166686c9c4318de041c45d60
Merge: bbfc066 965b78d 59ed620
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:10:01 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bbfc066da6cce7e47b8dadc31ccfb867fc966745

commit bbfc066da6cce7e47b8dadc31ccfb867fc966745
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:10:01 2013 -0300

    float

diff --git a/meta b/meta
index 23045ee..25c936c 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: d1b5808eaefe152c160fe51db180ee67bf67caec
-Head: 59483ceaa7daf7600c59559794b428683ea152ba
+Previous: 59ed620f06b93f72d4bfeeffad6efccee52fb9f5
+Head: 965b78d1907aee9c2883d16ed9978379e22eccce
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -19,9 +19,9 @@ Applied:
   manual-document-mt-safety-lang.patch: a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
   manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
   manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
+  manual-document-mt-safety-locale.patch: 965b78d1907aee9c2883d16ed9978379e22eccce
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
-  manual-document-mt-safety-locale.patch: e3578b80d486c85ecfce6a21f09e9051d868468b
   manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Hidden:
diff --git a/patches/manual-document-mt-safety-locale.patch b/patches/manual-document-mt-safety-locale.patch
index 4eae5d6..05f521a 100644
--- a/patches/manual-document-mt-safety-locale.patch
+++ b/patches/manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: f75097e48123219d68b9307cd827515c123cf0b8
-Top:    3b40240eced54a0f63e844f5354c9ab2106ba9d3
+Bottom: baf6738652c9240a7ea48273cff318ffb17716d8
+Top:    0eeefb1a35224c039dbbaef4f501176743a94c97
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=59483ceaa7daf7600c59559794b428683ea152ba

commit 59483ceaa7daf7600c59559794b428683ea152ba
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/llio.texi: Document thread safety properties.

diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=59ed620f06b93f72d4bfeeffad6efccee52fb9f5

commit 59ed620f06b93f72d4bfeeffad6efccee52fb9f5
Merge: 511dc6f d1b5808 59483ce
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=511dc6f08b227550f80aa028c77d89c8ddc6559d

commit 511dc6f08b227550f80aa028c77d89c8ddc6559d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:09:32 2013 -0300

    import

diff --git a/meta b/meta
index a5364f4..23045ee 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 55b9c1e2c45ebb7abdd12b9b1ef546eba08829bd
-Head: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
+Previous: d1b5808eaefe152c160fe51db180ee67bf67caec
+Head: 59483ceaa7daf7600c59559794b428683ea152ba
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -18,6 +18,7 @@ Applied:
   manual-document-mt-safety-job.patch: 138c83afb5f7d92dcac1049f150b154d43addda2
   manual-document-mt-safety-lang.patch: a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
   manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
+  manual-document-mt-safety-llio.patch: 59483ceaa7daf7600c59559794b428683ea152ba
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-locale.patch: e3578b80d486c85ecfce6a21f09e9051d868468b
diff --git a/patches/manual-document-mt-safety-llio.patch b/patches/manual-document-mt-safety-llio.patch
new file mode 100644
index 0000000..274aefd
--- /dev/null
+++ b/patches/manual-document-mt-safety-llio.patch
@@ -0,0 +1,649 @@
+Bottom: 5d6bbf322290ec49c7df2274a5b3ec79d32fd303
+Top:    baf6738652c9240a7ea48273cff318ffb17716d8
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:09:32 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/llio.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/llio.texi b/manual/llio.texi
+index b129cf4..66370c4 100644
+--- a/manual/llio.texi
++++ b/manual/llio.texi
+@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
+ @comment fcntl.h
+ @comment POSIX.1
+ @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ The @code{open} function creates and returns a new file descriptor for
+ the file named by @var{filename}.  Initially, the file position
+ indicator for the file is at the beginning of the file.  The argument
+@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
+ @comment fcntl.h
+ @comment Unix98
+ @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ This function is similar to @code{open}.  It returns a file descriptor
+ which can be used to access the file named by @var{filename}.  The only
+ difference is that on 32 bit systems the file is opened in the
+@@ -178,6 +180,7 @@ replaces the old API.
+ @comment fcntl.h
+ @comment POSIX.1
+ @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ This function is obsolete.  The call:
+ 
+ @smallexample
+@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
+ @comment fcntl.h
+ @comment Unix98
+ @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ This function is similar to @code{creat}.  It returns a file descriptor
+ which can be used to access the file named by @var{filename}.  The only
+ the difference is that on 32 bit systems the file is opened in the
+@@ -219,6 +223,7 @@ replaces the old API.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int close (int @var{filedes})
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ The function @code{close} closes the file descriptor @var{filedes}.
+ Closing a file has the following consequences:
+ 
+@@ -300,6 +305,7 @@ but must be a signed type.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{read} function reads up to @var{size} bytes from the file
+ with descriptor @var{filedes}, storing the results in the @var{buffer}.
+ (This is not necessarily a character string, and no terminating null
+@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
++@c is not MT-Safe because it uses lseek, read and lseek back, but is it
++@c used anywhere?
+ The @code{pread} function is similar to the @code{read} function.  The
+ first three arguments are identical, and the return values and error
+ codes also correspond.
+@@ -430,6 +440,10 @@ version 2.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
++@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
++@c it used anywhere?
+ This function is similar to the @code{pread} function.  The difference
+ is that the @var{offset} parameter is of type @code{off64_t} instead of
+ @code{off_t} which makes it possible on 32 bit machines to address
+@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{write} function writes up to @var{size} bytes from
+ @var{buffer} to the file with descriptor @var{filedes}.  The data in
+ @var{buffer} is not necessarily a character string and a null character is
+@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
++@c is not MT-Safe because it uses lseek, write and lseek back, but is it
++@c used anywhere?
+ The @code{pwrite} function is similar to the @code{write} function.  The
+ first three arguments are identical, and the return values and error codes
+ also correspond.
+@@ -592,6 +611,10 @@ version 2.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
++@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
++@c is it used anywhere?
+ This function is similar to the @code{pwrite} function.  The difference
+ is that the @var{offset} parameter is of type @code{off64_t} instead of
+ @code{off_t} which makes it possible on 32 bit machines to address
+@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{lseek} function is used to change the file position of the
+ file with descriptor @var{filedes}.
+ 
+@@ -713,6 +737,7 @@ descriptors.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to the @code{lseek} function.  The difference
+ is that the @var{offset} parameter is of type @code{off64_t} instead of
+ @code{off_t} which makes it possible on 32 bit machines to address
+@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
+ @comment stdio.h
+ @comment POSIX.1
+ @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+ The @code{fdopen} function returns a new stream for the file descriptor
+ @var{filedes}.
+ 
+@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
+ @comment stdio.h
+ @comment POSIX.1
+ @deftypefun int fileno (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function returns the file descriptor associated with the stream
+ @var{stream}.  If an error is detected (for example, if the @var{stream}
+ is not valid) or if @var{stream} does not do I/O to a file,
+@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int fileno_unlocked (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fileno_unlocked} function is equivalent to the @code{fileno}
+ function except that it does not implicitly lock the stream if the state
+ is @code{FSETLOCKING_INTERNAL}.
+@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
+ @comment sys/uio.h
+ @comment BSD
+ @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+-
++@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++@c The fallback sysdeps/posix implementation, used even on GNU/Linux
++@c with old kernels that lack a full readv/writev implementation, may
++@c malloc the buffer into which data is read, if the total read size is
++@c too large for alloca.
+ The @code{readv} function reads data from @var{filedes} and scatters it
+ into the buffers described in @var{vector}, which is taken to be
+ @var{count} structures long.  As each buffer is filled, data is sent to the
+@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
+ @comment sys/uio.h
+ @comment BSD
+ @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
++@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++@c The fallback sysdeps/posix implementation, used even on GNU/Linux
++@c with old kernels that lack a full readv/writev implementation, may
++@c malloc the buffer from which data is written, if the total write size
++@c is too large for alloca.
+ 
+ The @code{writev} function gathers data from the buffers described in
+ @var{vector}, which is taken to be @var{count} structures long, and writes
+@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
+ @comment sys/mman.h
+ @comment POSIX
+ @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The @code{mmap} function creates a new mapping, connected to bytes
+ (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
+@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
+ @comment sys/mman.h
+ @comment LFS
+ @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
++@c is) would be thread-unsafe.
+ The @code{mmap64} function is equivalent to the @code{mmap} function but
+ the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
+ this allows the file associated with the @var{filedes} descriptor to be
+@@ -1284,6 +1325,7 @@ replaces the old API.
+ @comment sys/mman.h
+ @comment POSIX
+ @deftypefun int munmap (void *@var{addr}, size_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
+ @var{length}).  @var{length} should be the length of the mapping.
+@@ -1310,6 +1352,7 @@ aligned.
+ @comment sys/mman.h
+ @comment POSIX
+ @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ When using shared mappings, the kernel can write the file at any time
+ before the mapping is removed.  To be certain data has actually been
+@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
+ @comment sys/mman.h
+ @comment GNU
+ @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ This function can be used to change the size of an existing memory
+ area. @var{address} and @var{length} must cover a region entirely mapped
+@@ -1405,6 +1449,7 @@ Coding Standards}.
+ @comment sys/mman.h
+ @comment POSIX
+ @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ This function can be used to provide the system with @var{advice} about
+ the intended usage patterns of the memory region starting at @var{addr}
+@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefn Macro void FD_ZERO (fd_set *@var{set})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro initializes the file descriptor set @var{set} to be the
+ empty set.
+ @end deftypefn
+@@ -1538,6 +1584,9 @@ empty set.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Setting a bit isn't necessarily atomic, so there's a potential race
++@c here if set is not used exclusively.
+ This macro adds @var{filedes} to the file descriptor set @var{set}.
+ 
+ The @var{filedes} parameter must not have side effects since it is
+@@ -1547,6 +1596,9 @@ evaluated more than once.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Setting a bit isn't necessarily atomic, so there's a potential race
++@c here if set is not used exclusively.
+ This macro removes @var{filedes} from the file descriptor set @var{set}.
+ 
+ The @var{filedes} parameter must not have side effects since it is
+@@ -1556,6 +1608,7 @@ evaluated more than once.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value (true) if @var{filedes} is a member
+ of the file descriptor set @var{set}, and zero (false) otherwise.
+ 
+@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The select syscall is preferred, but pselect6 may be used instead,
++@c which requires converting timeout to a timespec and back.  The
++@c conversions are not atomic.
+ The @code{select} function blocks the calling process until there is
+ activity on any of the specified sets of file descriptors, or until the
+ timeout period has expired.
+@@ -1670,6 +1727,7 @@ they return.
+ @comment unistd.h
+ @comment X/Open
+ @deftypefun void sync (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ A call to this function will not return as long as there is data which
+ has not been written to the device.  All dirty buffers in the kernel will
+ be written and so an overall consistent system can be achieved (if no
+@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
+ @comment unistd.h
+ @comment POSIX
+ @deftypefun int fsync (int @var{fildes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fsync} function can be used to make sure all data associated with
+ the open file @var{fildes} is written to the device associated with the
+ descriptor.  The function call does not return unless all actions have
+@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
+ @comment unistd.h
+ @comment POSIX
+ @deftypefun int fdatasync (int @var{fildes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ When a call to the @code{fdatasync} function returns, it is ensured
+ that all of the file data is written to the device.  For all pending I/O
+ operations, the parts guaranteeing data integrity finished.
+@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_read (struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c Calls aio_enqueue_request.
++@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
++@c  pthread_self ok
++@c  pthread_getschedparam selfdeadlock, lockleak
++@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
++@c   sched_getparam ok
++@c   sched_getscheduler ok
++@c   lll_unlock lockleak
++@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
++@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
++@c   realloc asmalloc, memleak
++@c   calloc asmalloc, memleak
++@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
++@c   pthread_attr_init ok
++@c   pthread_attr_setdetachstate ok
++@c   pthread_get_minstack ok
++@c   pthread_attr_setstacksize ok
++@c   sigfillset ok
++@c    memset ok
++@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
++@c   SYSCALL rt_sigprocmask ok
++@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
++@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
++@c    alloca/malloc asmalloc, memleak
++@c    lll_unlock lockleak
++@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
++@c     getpagesize dup
++@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
++@c     lll_unlock lockleak
++@c     _dl_allocate_tls asmalloc, memleak
++@c      _dl_allocate_tls_storage asmalloc, memleak
++@c       memalign asmalloc, memleak
++@c       memset ok
++@c       allocate_dtv dup
++@c       free asmalloc, memleak
++@c      allocate_dtv asmalloc, memleak
++@c       calloc asmalloc, memleak
++@c       INSTALL_DTV ok
++@c     list_add dup
++@c     get_cached_stack
++@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
++@c      list_for_each ok
++@c      list_entry dup
++@c      FREE_P dup
++@c      stack_list_del dup
++@c      stack_list_add dup
++@c      lll_unlock lockleak
++@c      _dl_allocate_tls_init ok
++@c       GET_DTV ok
++@c     mmap ok
++@c     atomic_increment_val ok
++@c     munmap ok
++@c     change_stack_perm ok
++@c      mprotect ok
++@c     mprotect ok
++@c     stack_list_del dup
++@c     _dl_deallocate_tls dup
++@c     munmap ok
++@c    THREAD_COPY_STACK_GUARD ok
++@c    THREAD_COPY_POINTER_GUARD ok
++@c    atomic_exchange_acq ok
++@c    lll_futex_wake ok
++@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
++@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
++@c     stack_list_del ok
++@c      atomic_write_barrier ok
++@c      list_del ok [uunguard]
++@c      atomic_write_barrier ok
++@c     queue_stack asmalloc, memleak
++@c      stack_list_add ok
++@c       atomic_write_barrier ok
++@c       list_add ok [uunguard]
++@c       atomic_write_barrier ok
++@c      free_stacks asmalloc, memleak
++@c       list_for_each_prev_safe ok
++@c       list_entry ok
++@c       FREE_P ok
++@c       stack_list_del dup
++@c       _dl_deallocate_tls dup
++@c       munmap ok
++@c     _dl_deallocate_tls asmalloc, memleak
++@c      free asmalloc, memleak
++@c     lll_unlock lockleak
++@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
++@c     td_eventword
++@c     td_eventmask
++@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
++@c      PREPARE_CREATE ok
++@c      lll_lock (pd->lock) selfdeadlock, lockleak
++@c      atomic_increment ok
++@c      clone ok
++@c      atomic_decrement ok
++@c      atomic_exchange_acq ok
++@c      lll_futex_wake ok
++@c      deallocate_stack dup
++@c      sched_setaffinity ok
++@c      tgkill ok
++@c      sched_setscheduler ok
++@c     atomic_compare_and_exchange_bool_acq ok
++@c     nptl_create_event ok
++@c     lll_unlock (pd->lock) lockleak
++@c    free asmalloc, memleak
++@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
++@c  add_request_to_runlist ok [xguargs]
++@c  pthread_cond_signal ok
++@c  aio_free_request ok [xguargs]
++@c  pthread_mutex_unlock lockleak
++
++@c (in the new thread, initiated with clone)
++@c    start_thread ok
++@c     HP_TIMING_NOW ok
++@c     ctype_init [glocale] (in theory, but optimized into safety)
++@c     atomic_exchange_acq ok
++@c     lll_futex_wake ok
++@c     sigemptyset ok
++@c     sigaddset ok
++@c     setjmp ok
++@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
++@c      do_cancel ok
++@c       pthread_unwind ok
++@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
++@c     lll_lock selfdeadlock, lockleak
++@c     lll_unlock selfdeadlock, lockleak
++@c     CANCEL_RESET -> pthread_disable_asynccancel ok
++@c      lll_futex_wait ok
++@c     ->start_routine ok -----
++@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
++@c      user-supplied dtor
++@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
++@c      rtld_lock_unlock_recursive lockleak
++@c      free asmalloc, memleak
++@c     nptl_deallocate_tsd asmalloc, memleak
++@c      tsd user-supplied dtors ok
++@c      free asmalloc, memleak
++@c     libc_thread_freeres
++@c      libc_thread_subfreeres ok
++@c     atomic_decrement_and_test ok
++@c     td_eventword ok
++@c     td_eventmask ok
++@c     atomic_compare_exchange_bool_acq ok
++@c     nptl_death_event ok
++@c     lll_robust_dead ok
++@c     getpagesize ok
++@c     madvise ok
++@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
++@c      free asmalloc, memleak
++@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
++@c     lll_futex_wait ok
++@c     exit_thread_inline ok
++@c      syscall(exit) ok
++
+ This function initiates an asynchronous read operation.  It
+ immediately returns after the operation was enqueued or when an
+ error was encountered.
+@@ -1988,6 +2200,7 @@ replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to the @code{aio_read} function.  The only
+ difference is that on @w{32 bit} machines, the file descriptor should
+ be opened in the large file mode.  Internally, @code{aio_read64} uses
+@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_write (struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function initiates an asynchronous write operation.  The function
+ call immediately returns after the operation was enqueued or if before
+ this happens an error was encountered.
+@@ -2072,6 +2286,7 @@ replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to the @code{aio_write} function.  The only
+ difference is that on @w{32 bit} machines the file descriptor should
+ be opened in the large file mode.  Internally @code{aio_write64} uses
+@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
++@c enqueues each request.  Then, it waits for notification or prepares
++@c for it before releasing the lock.  Even though it performs memory
++@c allocation and locking of its own, it doesn't add any classes of
++@c safety issues that aren't already covered by aio_enqueue_request.
+ The @code{lio_listio} function can be used to enqueue an arbitrary
+ number of read and write requests at one time.  The requests can all be
+ meant for the same file, all for different files or every solution in
+@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to the @code{lio_listio} function.  The only
+ difference is that on @w{32 bit} machines, the file descriptor should
+ be opened in the large file mode.  Internally, @code{lio_listio64} uses
+@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function determines the error state of the request described by the
+ @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
+ request has not yet terminated the value returned is always
+@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{aio_error} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2238,6 +2462,7 @@ machines.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function can be used to retrieve the return status of the operation
+ carried out by the request described in the variable pointed to by
+ @var{aiocbp}.  As long as the error status of this request as returned
+@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{aio_return} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c After fcntl to check that the FD is open, it calls
++@c aio_enqueue_request.
+ Calling this function forces all I/O operations operating queued at the
+ time of the function call operating on the file descriptor
+ @code{aiocbp->aio_fildes} into the synchronized I/O completion state
+@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to @code{aio_fsync} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
++@c Take aio_requests_mutex, set up waitlist and requestlist, wait
++@c for completion or timeout, and release the mutex.
+ When calling this function, the calling thread is suspended until at
+ least one of the requests pointed to by the @var{nent} elements of the
+ array @var{list} has completed.  If any of the requests has already
+@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ This function is similar to @code{aio_suspend} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c After fcntl to check the fd is open, hold aio_requests_mutex, call
++@c aio_find_req_fd, aio_remove_request, then aio_notify and
++@c aio_free_request each request before releasing the lock.
++@c aio_notify calls aio_notify_only and free, besides cond signal or
++@c similar.  aio_notify_only calls pthread_attr_init,
++@c pthread_attr_setdetachstate, malloc, pthread_create,
++@c notify_func_wrapper, aio_sigqueue, getpid, raise.
++@c notify_func_wraper calls aio_start_notify_thread, free and then the
++@c notifier function.
+ The @code{aio_cancel} function can be used to cancel one or more
+ outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
+ function tries to cancel all of the outstanding requests which would process
+@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to @code{aio_cancel} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2529,6 +2774,8 @@ Unused.
+ @comment aio.h
+ @comment GNU
+ @deftypefun void aio_init (const struct aioinit *@var{init})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
++@c All changes to global objects are guarded by aio_requests_mutex.
+ This function must be called before any other AIO function.  Calling it
+ is completely voluntary, as it is only meant to help the AIO
+ implementation perform better.
+@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
+ @comment fcntl.h
+ @comment POSIX.1
+ @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fcntl} function performs the operation specified by
+ @var{command} on the file descriptor @var{filedes}.  Some commands
+ require additional arguments to be supplied.  These additional arguments
+@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int dup (int @var{old})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function copies descriptor @var{old} to the first available
+ descriptor number (the first number not currently open).  It is
+ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
+@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int dup2 (int @var{old}, int @var{new})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function copies the descriptor @var{old} to descriptor number
+ @var{new}.
+ 
+@@ -3631,6 +3881,7 @@ different headers.
+ @comment sys/ioctl.h
+ @comment BSD
+ @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The @code{ioctl} function performs the generic I/O operation
+ @var{command} on @var{filedes}.
+@@ -3650,3 +3901,6 @@ unknown device.
+ Most IOCTLs are OS-specific and/or only used in special system utilities,
+ and are thus beyond the scope of this document.  For an example of the use
+ of an IOCTL, see @ref{Out-of-Band Data}.
++
++@c FIXME this is undocumented:
++@c dup3

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe

commit ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/libdl.texi: New.

diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d1b5808eaefe152c160fe51db180ee67bf67caec

commit d1b5808eaefe152c160fe51db180ee67bf67caec
Merge: 933d2fb 55b9c1e ca4e6ed
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=933d2fb03531dd5c728702c576b3864b549ef2a1

commit 933d2fb03531dd5c728702c576b3864b549ef2a1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:59 2013 -0300

    import

diff --git a/meta b/meta
index 57830af..a5364f4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: bb876ad58dc08465bbe11d035994ca2dfd5f198e
-Head: a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
+Previous: 55b9c1e2c45ebb7abdd12b9b1ef546eba08829bd
+Head: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -17,6 +17,7 @@ Applied:
   manual-document-mt-safety-getopt.patch: c48dff451b9a543c5f827092417468a0d6672c59
   manual-document-mt-safety-job.patch: 138c83afb5f7d92dcac1049f150b154d43addda2
   manual-document-mt-safety-lang.patch: a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
+  manual-document-mt-safety-libdl.patch: ca4e6ed5fbcca95d7f29a49c4ed65651acda0efe
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-locale.patch: e3578b80d486c85ecfce6a21f09e9051d868468b
diff --git a/patches/manual-document-mt-safety-libdl.patch b/patches/manual-document-mt-safety-libdl.patch
new file mode 100644
index 0000000..51626a1
--- /dev/null
+++ b/patches/manual-document-mt-safety-libdl.patch
@@ -0,0 +1,30 @@
+Bottom: 95e3af012c2d8222ce9c18f313b200f086405d32
+Top:    5d6bbf322290ec49c7df2274a5b3ec79d32fd303
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:08:59 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/libdl.texi: New.
+
+
+---
+
+diff --git a/manual/libdl.texi b/manual/libdl.texi
+new file mode 100644
+index 0000000..e3fe045
+--- /dev/null
++++ b/manual/libdl.texi
+@@ -0,0 +1,10 @@
++@c FIXME these are undocumented:
++@c dladdr
++@c dladdr1
++@c dlclose
++@c dlerror
++@c dlinfo
++@c dlmopen
++@c dlopen
++@c dlsym
++@c dlvsym

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd

commit a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/lang.texi: Document thread safety properties.

diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=55b9c1e2c45ebb7abdd12b9b1ef546eba08829bd

commit 55b9c1e2c45ebb7abdd12b9b1ef546eba08829bd
Merge: 647690f a7fd5e4 bb876ad
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=647690fef25dc2fe30b41c6d6c4653a932f0d514

commit 647690fef25dc2fe30b41c6d6c4653a932f0d514
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:32 2013 -0300

    import

diff --git a/meta b/meta
index 3b789ad..57830af 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 9eb0f35298528a56e8b83fd1dab2fa72927ae1b9
-Head: 138c83afb5f7d92dcac1049f150b154d43addda2
+Previous: bb876ad58dc08465bbe11d035994ca2dfd5f198e
+Head: a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -16,6 +16,7 @@ Applied:
   manual-document-mt-safety-filesys.patch: d1d06a086358b876405130714e2c5cf0d7740ab8
   manual-document-mt-safety-getopt.patch: c48dff451b9a543c5f827092417468a0d6672c59
   manual-document-mt-safety-job.patch: 138c83afb5f7d92dcac1049f150b154d43addda2
+  manual-document-mt-safety-lang.patch: a7fd5e42f1a4a4cb65dadb2a7ba4ef28bb8bb3fd
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-locale.patch: e3578b80d486c85ecfce6a21f09e9051d868468b
diff --git a/patches/manual-document-mt-safety-lang.patch b/patches/manual-document-mt-safety-lang.patch
new file mode 100644
index 0000000..eef82af
--- /dev/null
+++ b/patches/manual-document-mt-safety-lang.patch
@@ -0,0 +1,81 @@
+Bottom: 78811ad7f6f34dae902d17fe9939b1ed2877fc8c
+Top:    95e3af012c2d8222ce9c18f313b200f086405d32
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:08:32 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/lang.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/lang.texi b/manual/lang.texi
+index ee04e23..d6cd90c 100644
+--- a/manual/lang.texi
++++ b/manual/lang.texi
+@@ -51,6 +51,8 @@ without indicating anything might be wrong.
+ @comment assert.h
+ @comment ISO
+ @deftypefn Macro void assert (int @var{expression})
++@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
++@c assert_fail_base calls asprintf, and fflushes stderr.
+ Verify the programmer's belief that @var{expression} is nonzero at
+ this point in the program.
+ 
+@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
+ @comment assert.h
+ @comment GNU
+ @deftypefn Macro void assert_perror (int @var{errnum})
++@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
++@c assert_fail_base calls asprintf, and fflushes stderr.
+ Similar to @code{assert}, but verifies that @var{errnum} is zero.
+ 
+ If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
+@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
+ @comment stdarg.h
+ @comment ISO
+ @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ This macro initializes the argument pointer variable @var{ap} to point
+ to the first of the optional arguments of the current function;
+ @var{last-required} must be the last required argument to the function.
+@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
+ @comment stdarg.h
+ @comment ISO
+ @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ The @code{va_arg} macro returns the value of the next optional argument,
+ and modifies the value of @var{ap} to point to the subsequent argument.
+ Thus, successive uses of @code{va_arg} return successive optional
+@@ -445,6 +453,8 @@ of the actual argument.
+ @comment stdarg.h
+ @comment ISO
+ @deftypefn {Macro} void va_end (va_list @var{ap})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ This ends the use of @var{ap}.  After a @code{va_end} call, further
+ @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
+ @code{va_end} before returning from the function in which @code{va_start}
+@@ -466,6 +476,8 @@ of the same type.
+ @comment ISO
+ @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
+ @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ The @code{va_copy} macro allows copying of objects of type
+ @code{va_list} even if this is not an integral type.  The argument pointer
+ in @var{dest} is initialized to point to the same argument as the
+@@ -1212,6 +1224,8 @@ type of a particular structure member.
+ @comment stddef.h
+ @comment ISO
+ @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ This expands to a integer constant expression that is the offset of the
+ structure member named @var{member} in the structure type @var{type}.
+ For example, @code{offsetof (struct s, elem)} is the offset, in bytes,

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=138c83afb5f7d92dcac1049f150b154d43addda2

commit 138c83afb5f7d92dcac1049f150b154d43addda2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/job.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bb876ad58dc08465bbe11d035994ca2dfd5f198e

commit bb876ad58dc08465bbe11d035994ca2dfd5f198e
Merge: ed1d024 9eb0f35 138c83a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ed1d02477c67d2906fb070681314349d24dc384b

commit ed1d02477c67d2906fb070681314349d24dc384b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:15 2013 -0300

    import

diff --git a/meta b/meta
index 8fbf811..3b789ad 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 92919fc25ad418c3e600d2ebfd89c21e91e8802d
-Head: c48dff451b9a543c5f827092417468a0d6672c59
+Previous: 9eb0f35298528a56e8b83fd1dab2fa72927ae1b9
+Head: 138c83afb5f7d92dcac1049f150b154d43addda2
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -15,6 +15,7 @@ Applied:
   manual-document-mt-safety-errno.patch: b035d6eeb7b48636043919617d515c88522ba6c3
   manual-document-mt-safety-filesys.patch: d1d06a086358b876405130714e2c5cf0d7740ab8
   manual-document-mt-safety-getopt.patch: c48dff451b9a543c5f827092417468a0d6672c59
+  manual-document-mt-safety-job.patch: 138c83afb5f7d92dcac1049f150b154d43addda2
 Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-locale.patch: e3578b80d486c85ecfce6a21f09e9051d868468b
diff --git a/patches/manual-document-mt-safety-job.patch b/patches/manual-document-mt-safety-job.patch
new file mode 100644
index 0000000..b4d3b96
--- /dev/null
+++ b/patches/manual-document-mt-safety-job.patch
@@ -0,0 +1,123 @@
+Bottom: 18760d732995b8379bc372377398a8fd58732762
+Top:    78811ad7f6f34dae902d17fe9939b1ed2877fc8c
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:08:15 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/job.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/job.texi b/manual/job.texi
+index 4efeed3..779ea96 100644
+--- a/manual/job.texi
++++ b/manual/job.texi
+@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
+ @comment stdio.h
+ @comment POSIX.1
+ @deftypefun {char *} ctermid (char *@var{string})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This function is a stub by default; the actual implementation, for
++@c posix systems, returns an internal buffer if passed a NULL string,
++@c but the internal buffer is always set to /dev/tty.
+ The @code{ctermid} function returns a string containing the file name of
+ the controlling terminal for the current process.  If @var{string} is
+ not a null pointer, it should be an array that can hold at least
+@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun pid_t setsid (void)
++@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
++@c This is usually a direct syscall, but if a syscall is not available,
++@c we use a stub, or Hurd- and BSD-specific implementations.  The former
++@c uses a mutex and a hurd critical section, and the latter issues a few
++@c syscalls, so both seem safe, except for the locking on Hurd.
+ The @code{setsid} function creates a new session.  The calling process
+ becomes the session leader, and is put in a new process group whose
+ process group ID is the same as the process ID of that process.  There
+@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
+ @comment unistd.h
+ @comment SVID
+ @deftypefun pid_t getsid (pid_t @var{pid})
+-
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub or direct syscall, except on hurd, where it is equally safe.
+ The @code{getsid} function returns the process group ID of the session
+ leader of the specified process.  If a @var{pid} is @code{0}, the
+ process group ID of the session leader of the current process is
+@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Wrapper for getpgid.
+ The POSIX.1 definition of @code{getpgrp} returns the process group ID of
+ the calling process.
+ @end deftypefn
+@@ -1141,6 +1153,8 @@ the calling process.
+ @comment unistd.h
+ @comment BSD
+ @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Wrapper for getpgid.
+ The BSD definition of @code{getpgrp} returns the process group ID of the
+ process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
+ argument to get information about the calling process.
+@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
+ @comment unistd.h
+ @comment SVID
+ @deftypefn {System V Function} int getpgid (pid_t @var{pid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub or direct syscall, except on hurd, where it is equally safe.
+ 
+ @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
+ returns the process group ID of the process @var{pid}.  You can supply a
+@@ -1171,6 +1187,8 @@ process.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub or direct syscall, except on hurd, where it is equally safe.
+ The @code{setpgid} function puts the process @var{pid} into the process
+ group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
+ be zero to indicate the process ID of the calling process.
+@@ -1208,6 +1226,8 @@ process or a child of the calling process.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct syscall or setpgid wrapper.
+ This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
+ the same thing.
+ @end deftypefun
+@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun pid_t tcgetpgrp (int @var{filedes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub, or ioctl on BSD and GNU/Linux.
+ This function returns the process group ID of the foreground process
+ group associated with the terminal open on descriptor @var{filedes}.
+ 
+@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub, or ioctl on BSD and GNU/Linux.
+ This function is used to set a terminal's foreground process group ID.
+ The argument @var{filedes} is a descriptor which specifies the terminal;
+ @var{pgid} specifies the process group.  The calling process must be a
+@@ -1297,6 +1321,8 @@ process.
+ @comment termios.h
+ @comment Unix98
+ @deftypefun pid_t tcgetsid (int @var{fildes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
+ This function is used to obtain the process group ID of the session
+ for which the terminal specified by @var{fildes} is the controlling terminal.
+ If the call is successful the group ID is returned.  Otherwise the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9eb0f35298528a56e8b83fd1dab2fa72927ae1b9

commit 9eb0f35298528a56e8b83fd1dab2fa72927ae1b9
Merge: 13c32a1 92919fc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:05 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=13c32a1b05e4fe8016b283ac793185f0befbbd41

commit 13c32a1b05e4fe8016b283ac793185f0befbbd41
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:05 2013 -0300

    push

diff --git a/meta b/meta
index fd57941..8fbf811 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b4537d0a04428bf9cee6e267a5f57dbdd3301329
-Head: d1d06a086358b876405130714e2c5cf0d7740ab8
+Previous: 92919fc25ad418c3e600d2ebfd89c21e91e8802d
+Head: c48dff451b9a543c5f827092417468a0d6672c59
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -14,8 +14,8 @@ Applied:
   manual-document-mt-safety-debug.patch: 7f89734934ba539d84fdf02163f64ae84f795ac9
   manual-document-mt-safety-errno.patch: b035d6eeb7b48636043919617d515c88522ba6c3
   manual-document-mt-safety-filesys.patch: d1d06a086358b876405130714e2c5cf0d7740ab8
-Unapplied:
   manual-document-mt-safety-getopt.patch: c48dff451b9a543c5f827092417468a0d6672c59
+Unapplied:
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-locale.patch: e3578b80d486c85ecfce6a21f09e9051d868468b
   manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=92919fc25ad418c3e600d2ebfd89c21e91e8802d

commit 92919fc25ad418c3e600d2ebfd89c21e91e8802d
Merge: 1b05d1f b4537d0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:01 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1b05d1ffbe01790bcb6afa26a3814eb688d2d9d9

commit 1b05d1ffbe01790bcb6afa26a3814eb688d2d9d9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:08:01 2013 -0300

    pop

diff --git a/meta b/meta
index ee8ca34..fd57941 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 8f0d964f583cad6e1513d3ee7521ebca819e5751
-Head: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
+Previous: b4537d0a04428bf9cee6e267a5f57dbdd3301329
+Head: d1d06a086358b876405130714e2c5cf0d7740ab8
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
   powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
@@ -14,10 +14,10 @@ Applied:
   manual-document-mt-safety-debug.patch: 7f89734934ba539d84fdf02163f64ae84f795ac9
   manual-document-mt-safety-errno.patch: b035d6eeb7b48636043919617d515c88522ba6c3
   manual-document-mt-safety-filesys.patch: d1d06a086358b876405130714e2c5cf0d7740ab8
+Unapplied:
   manual-document-mt-safety-getopt.patch: c48dff451b9a543c5f827092417468a0d6672c59
   manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
   manual-document-mt-safety-locale.patch: e3578b80d486c85ecfce6a21f09e9051d868468b
   manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e
   manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b4537d0a04428bf9cee6e267a5f57dbdd3301329

commit b4537d0a04428bf9cee6e267a5f57dbdd3301329
Merge: 2ce7724 4546f1e 8f0d964
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:54 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2ce7724e0875f99da3acbe4b4f8b238fe67a7166

commit 2ce7724e0875f99da3acbe4b4f8b238fe67a7166
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:54 2013 -0300

    push

diff --git a/meta b/meta
index 00e3714..ee8ca34 100644
--- a/meta
+++ b/meta
@@ -1,23 +1,23 @@
 Version: 1
-Previous: b4d906acf0574484a2eee239e7c46c7e060297be
-Head: 351fb371fa127df8fa5e27b38a330e4258b35180
+Previous: 8f0d964f583cad6e1513d3ee7521ebca819e5751
+Head: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Applied:
   manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
+  powerpc-nofpu-sim-note-nothread.patch: 8ff199e32650a502ca50da4736e82ed813e08fa4
+  unused-scalb-is-scalbn.patch: 62694b21850cd676e82306bc82418b952b9d3d31
+  manual-document-mt-safety-argp.patch: 8b86b0ead9b1494ad7b0aa283a423813ed5e8bc7
+  manual-document-mt-safety-arith.patch: 5a1a8a43ebaa9cc6a6dc182bd931fbca63e7d866
+  manual-document-mt-safety-charset.patch: 296ae41496afc524f6f75648a3298a5419b46990
+  manual-document-mt-safety-conf.patch: 95b0911edf2eb244430d9533ec0a8a3f7058581c
+  manual-document-mt-safety-crypt.patch: e600904c5eab885a1a7c8aef6bb2f570bd201275
+  manual-document-mt-safety-ctype.patch: 727a9c49e98194570a2c85e47c355bcc55398cd9
+  manual-document-mt-safety-debug.patch: 7f89734934ba539d84fdf02163f64ae84f795ac9
+  manual-document-mt-safety-errno.patch: b035d6eeb7b48636043919617d515c88522ba6c3
+  manual-document-mt-safety-filesys.patch: d1d06a086358b876405130714e2c5cf0d7740ab8
+  manual-document-mt-safety-getopt.patch: c48dff451b9a543c5f827092417468a0d6672c59
+  manual-document-mt-safety-stdio.patch: ce7a82428b383c27385283464762599a0000cba2
+  manual-document-mt-safety-locale.patch: e3578b80d486c85ecfce6a21f09e9051d868468b
+  manual-document-mt-safety-math.patch: 0082110725464cff983520a32eac4c49ff25339e
+  manual-document-mt-safety-wip.patch: 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
 Unapplied:
-  powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
-  unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
-  manual-document-mt-safety-argp.patch: 3a08620f4907bff742b31a6f67651e4a3b21c179
-  manual-document-mt-safety-arith.patch: a6f2df9755a82acf03faacd3844e32ff5336d033
-  manual-document-mt-safety-charset.patch: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
-  manual-document-mt-safety-conf.patch: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
-  manual-document-mt-safety-crypt.patch: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
-  manual-document-mt-safety-ctype.patch: d3739e943bb05d4edb6ca163f33c2cda30ada1f6
-  manual-document-mt-safety-debug.patch: c7ee4c2aa47d7a32e68a01dd01e4087485df8ccf
-  manual-document-mt-safety-errno.patch: 6c7e1ffb65b6f160f2a901a4d7fb52654cee4521
-  manual-document-mt-safety-filesys.patch: 9ae778a025f0908ba789a9e0cf5065ab0d53628a
-  manual-document-mt-safety-getopt.patch: f79b9fc6a64c2160e49b66d3ffd8beff25d0317b
-  manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
-  manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
-  manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
-  manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 5313e9f..914e844 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,5 +1,5 @@
-Bottom: 6c9a45167e9f148c725e5d962b1cd083292f0adf
-Top:    159ee8e039a2ee1968f5b806b99cb2c568c31678
+Bottom: 6ef173fc60a9c842433354081fa0216e4430c1b8
+Top:    206cd625e1e8e8dc3e141cdd29c90772cf35e923
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 21:57:08 -0300
 
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index b25c52a..49b1456 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
-Bottom: 159ee8e039a2ee1968f5b806b99cb2c568c31678
-Top:    7d1efa70a6263de6179afe2a9a443ea3375c3c65
+Bottom: 206cd625e1e8e8dc3e141cdd29c90772cf35e923
+Top:    260809414e54f35864ab54b52fdbff3517f05f2e
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-charset.patch b/patches/manual-document-mt-safety-charset.patch
index d61f282..c4d22ae 100644
--- a/patches/manual-document-mt-safety-charset.patch
+++ b/patches/manual-document-mt-safety-charset.patch
@@ -1,5 +1,5 @@
-Bottom: 7d1efa70a6263de6179afe2a9a443ea3375c3c65
-Top:    214fcee1fc2244efd3fa34e70667561366631af6
+Bottom: 260809414e54f35864ab54b52fdbff3517f05f2e
+Top:    0ed3cc03efad5a94ba0a48cd696ec823658ac35b
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:01:33 -0300
 
diff --git a/patches/manual-document-mt-safety-conf.patch b/patches/manual-document-mt-safety-conf.patch
index dc5d0aa..0db760e 100644
--- a/patches/manual-document-mt-safety-conf.patch
+++ b/patches/manual-document-mt-safety-conf.patch
@@ -1,5 +1,5 @@
-Bottom: 214fcee1fc2244efd3fa34e70667561366631af6
-Top:    01a0439b7c735fb096210cab50592ed7ae588e00
+Bottom: 0ed3cc03efad5a94ba0a48cd696ec823658ac35b
+Top:    621eb53ac8713123406be43ebd474132b7c6e4de
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:16 -0300
 
diff --git a/patches/manual-document-mt-safety-crypt.patch b/patches/manual-document-mt-safety-crypt.patch
index 8311afe..20411b6 100644
--- a/patches/manual-document-mt-safety-crypt.patch
+++ b/patches/manual-document-mt-safety-crypt.patch
@@ -1,5 +1,5 @@
-Bottom: 01a0439b7c735fb096210cab50592ed7ae588e00
-Top:    9879c04c4ffa34225360a9359ba3d098a05a208c
+Bottom: 621eb53ac8713123406be43ebd474132b7c6e4de
+Top:    25551ef91682bea014db1b2031e4dad60a4ba129
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:03:47 -0300
 
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index f682ded..8700f8e 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: 9879c04c4ffa34225360a9359ba3d098a05a208c
-Top:    ef2aa24039042b2529772d0209797c599eb01fbe
+Bottom: 25551ef91682bea014db1b2031e4dad60a4ba129
+Top:    1fe3a56b7e61d235687df61e4d4bded8e7283992
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
index c31f434..2063a20 100644
--- a/patches/manual-document-mt-safety-debug.patch
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -1,5 +1,5 @@
-Bottom: ef2aa24039042b2529772d0209797c599eb01fbe
-Top:    d9693aa296c06ebe3fdaa8817d28a446b893fe25
+Bottom: 1fe3a56b7e61d235687df61e4d4bded8e7283992
+Top:    5add8b2d9a79567d15e402219a50ddf6704cdcea
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:11 -0300
 
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
index 75e4099..7b30386 100644
--- a/patches/manual-document-mt-safety-errno.patch
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -1,5 +1,5 @@
-Bottom: d9693aa296c06ebe3fdaa8817d28a446b893fe25
-Top:    e0c86b7119156c45d45fc7b8853dfb0c950448cb
+Bottom: 5add8b2d9a79567d15e402219a50ddf6704cdcea
+Top:    50fd6f363b9af88ae1e05db55cefcd1e41c10123
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:05:34 -0300
 
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
index 5f9b89d..7b4e146 100644
--- a/patches/manual-document-mt-safety-filesys.patch
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -1,5 +1,5 @@
-Bottom: e0c86b7119156c45d45fc7b8853dfb0c950448cb
-Top:    c99f368a71f19ba8429c3534e1b674f3a20de73e
+Bottom: 50fd6f363b9af88ae1e05db55cefcd1e41c10123
+Top:    c0467ea68e04c4b52c9c771dad681e1220291a6a
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:03 -0300
 
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
index d1ce979..753c8f5 100644
--- a/patches/manual-document-mt-safety-getopt.patch
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -1,5 +1,5 @@
-Bottom: c99f368a71f19ba8429c3534e1b674f3a20de73e
-Top:    eaf7ea9f21df96f6e1ba6d92a8b44a2546e980f4
+Bottom: c0467ea68e04c4b52c9c771dad681e1220291a6a
+Top:    18760d732995b8379bc372377398a8fd58732762
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 22:06:36 -0300
 
diff --git a/patches/manual-document-mt-safety-locale.patch b/patches/manual-document-mt-safety-locale.patch
index a5cc454..4eae5d6 100644
--- a/patches/manual-document-mt-safety-locale.patch
+++ b/patches/manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: e394e37491899340294bfd977f43c098c558c2b1
-Top:    e7a76e5bc200b56429777851aab7bce4bcbb7c56
+Bottom: f75097e48123219d68b9307cd827515c123cf0b8
+Top:    3b40240eced54a0f63e844f5354c9ab2106ba9d3
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index ebdf1e4..336844e 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: e7a76e5bc200b56429777851aab7bce4bcbb7c56
-Top:    493d959bda4db41836ea91b2b9685b47ab733575
+Bottom: 3b40240eced54a0f63e844f5354c9ab2106ba9d3
+Top:    edfbd2bf9a8a7592b48fc6ddfd6dd6a196355d21
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index fb0f44d..ad86e9d 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 7d1efa70a6263de6179afe2a9a443ea3375c3c65
-Top:    9d00eea6735363e6e80869186f9fb160ee3e5642
+Bottom: 18760d732995b8379bc372377398a8fd58732762
+Top:    f75097e48123219d68b9307cd827515c123cf0b8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-wip.patch b/patches/manual-document-mt-safety-wip.patch
index 403d0e3..0350f71 100644
--- a/patches/manual-document-mt-safety-wip.patch
+++ b/patches/manual-document-mt-safety-wip.patch
@@ -1,4 +1,4 @@
-Bottom: a80e3502e79676408b83a0ee8d2c01161f2e1895
+Bottom: edfbd2bf9a8a7592b48fc6ddfd6dd6a196355d21
 Top:    7472b1dd7a8cc8760b98cd08cb7f8418374249ed
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
@@ -12,1852 +12,6 @@ for ChangeLog
 
 ---
 
-diff --git a/manual/argp.texi b/manual/argp.texi
-index c9fbe97..5322f91 100644
---- a/manual/argp.texi
-+++ b/manual/argp.texi
-@@ -36,6 +36,35 @@ needed in @code{main}.
- @comment argp.h
- @comment GNU
- @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
-+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
-+@c Optionally alloca()tes standard help options, initializes the parser,
-+@c then parses individual args in a loop, and then finalizes.
-+@c  parser_init
-+@c   calc_sizes ok
-+@c    option_is_end ok
-+@c   malloc
-+@c   parser_convert glocale
-+@c    convert_options glocale
-+@c     option_is_end ok
-+@c     option_is_short ok
-+@c      isprint, but locale may change within the loop
-+@c     find_long_option ok
-+@c   group_parse
-+@c    group->parser (from argp->parser)
-+@c  parser_parse_next
-+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
-+@c   parser_parse_arg
-+@c    group_parse
-+@c   parser_parse_opt
-+@c    group_parse
-+@c    argp_error
-+@c    dgettext (bad key error)
-+@c  parser_finalize
-+@c   group_parse
-+@c   fprintf
-+@c   dgettext
-+@c   arg_state_help
-+@c   free
- The @code{argp_parse} function parses the arguments in @var{argv}, of
- length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
- Parsers}.  Passing a null pointer for @var{argp} is the same as using
-@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
- @comment argp.h
- @comment GNU
- @deftypefun void argp_usage (const struct argp_state *@var{state})
-+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
-+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
- Outputs the standard usage message for the argp parser referred to by
- @var{state} to @code{@var{state}->err_stream} and terminate the program
- with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
-@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
- @comment argp.h
- @comment GNU
- @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
-+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
-+@c Lock stream, vasprintf the formatted message into a buffer, print the
-+@c buffer prefixed by the short program name (in libc,
-+@c argp_short_program_name is a macro that expands to
-+@c program_invocation_short_name), releases the buffer, then call
-+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
-+@c stream at the end.
- Prints the printf format string @var{fmt} and following args, preceded
- by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
- --help}} message, and terminates the program with an exit status of
-@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
- @comment argp.h
- @comment GNU
- @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
-+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
-+@c Lock stream, write out the short program name, vasprintf the optional
-+@c formatted message to a buffer, print the buffer prefixed by colon and
-+@c blank, release the buffer, call strerror_r with an automatic buffer,
-+@c print it out after colon and blank, put[w]c a line break, unlock the
-+@c stream, then exit unless ARGP_NO_EXIT.
- Similar to the standard gnu error-reporting function @code{error}, this
- prints the program name and @samp{:}, the printf format string
- @var{fmt}, and the appropriate following args.  If it is non-zero, the
-@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
- @comment argp.h
- @comment GNU
- @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
-+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
-+@c Just calls _help with the short program name and optionally exit.
-+@c The main problems in _help, besides the usual issues with stream I/O
-+@c and translation, are the use of a static buffer (uparams) that makes
-+@c the whole thing thread-unsafe, reading from the environment for
-+@c ARGP_HELP_FMT, accessing the locale object multiple times.
-+
-+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
-+@c  dgettext asi18n
-+@c  flockfile lockleak
-+@c  funlockfile lockleak
-+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
-+@c   argp_failure dup (status = errnum = 0)
-+@c   atoi dup
-+@c  argp_hol asmalloc, memleak
-+@c   make_hol asmalloc, memleak
-+@c   hol_add_cluster asmalloc, memleak
-+@c   hol_append asmalloc, memleak
-+@c  hol_set_group ok
-+@c   hol_find_entry ok
-+@c  hol_sort glocale, asmalloc, memleak
-+@c   qsort asmalloc, memleak
-+@c    hol_entry_qcmp glocale
-+@c     hol_entry_cmp glocale
-+@c      group_cmp ok
-+@c      hol_cluster_cmp ok
-+@c       group_cmp ok
-+@c      hol_entry_first_short glocale
-+@c       hol_entry_short_iterate [glocale]
-+@c        until_short ok
-+@c         oshort ok
-+@c          isprint ok
-+@c      odoc ok
-+@c      hol_entry_first_long ok
-+@c      canon_doc_option glocale
-+@c      tolower dup
-+@c  hol_usage glocale, asi18n, asmalloc, memleak
-+@c   hol_entry_short_iterate ok
-+@c    add_argless_short_opt ok
-+@c   argp_fmtstream_printf dup
-+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
-+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
-+@c     dgettext dup
-+@c     argp_fmtstream_printf dup
-+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
-+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
-+@c     dgettext dup
-+@c     argp_fmtstream_printf dup
-+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
-+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
-+@c    argp_fmtstream_set_lmargin dup
-+@c    argp_fmtstream_wmargin dup
-+@c    argp_fmtstream_set_wmargin dup
-+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
-+@c     argp_fmtstream_putc dup
-+@c     hol_cluster_is_child ok
-+@c     argp_fmtstream_wmargin dup
-+@c     print_header dup
-+@c     argp_fmtstream_set_wmargin dup
-+@c     argp_fmtstream_puts dup
-+@c     indent_to dup
-+@c    argp_fmtstream_putc dup
-+@c    arg glocale, asmalloc, memleak
-+@c     argp_fmtstream_printf dup
-+@c    odoc dup
-+@c    argp_fmtstream_puts dup
-+@c    argp_fmtstream_printf dup
-+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
-+@c     dgettext dup
-+@c     filter_doc dup
-+@c     argp_fmtstream_putc dup
-+@c     indent_to dup
-+@c     argp_fmtstream_set_lmargin dup
-+@c     argp_fmtstream_set_wmargin dup
-+@c     argp_fmtstream_puts dup
-+@c     free dup
-+@c    filter_doc dup
-+@c    argp_fmtstream_point dup
-+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
-+@c     argp_fmtstream_point dup
-+@c     argp_fmtstream_putc dup
-+@c   dgettext dup
-+@c   filter_doc dup
-+@c   argp_fmtstream_putc dup
-+@c   argp_fmtstream_puts dup
-+@c   free dup
-+@c  hol_free asmalloc, memleak
-+@c   free dup
-+@c  argp_args_levels ok
-+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
-+@c   dgettext dup
-+@c   filter_doc ok
-+@c    argp_input ok
-+@c    argp->help_filter
-+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
-+@c    argp_fmtstream_point dup
-+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
-+@c     argp_fmtstream_update dup
-+@c    argp_fmtstream_putc dup
-+@c   argp_fmtstream_write dup
-+@c   free dup
-+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
-+@c   dgettext asi18n
-+@c   strndup asmalloc, memleak
-+@c   argp_input dup
-+@c   argp->help_filter
-+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
-+@c    argp_fmtstream_ensure dup
-+@c   argp_fmtstream_write dup
-+@c   argp_fmtstream_puts dup
-+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
-+@c    argp_fmtstream_update dup
-+@c   argp_fmtstream_lmargin dup
-+@c   free dup
-+@c  argp_make_fmtstream asmalloc, memleak
-+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
-+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
-+@c    put[w]c_unlocked dup
-+@c    isblank in loop glocale
-+@c    fxprintf lockleak
-+@c   fxprintf lockleak
-+@c   free dup
-+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
-+@c   argp_fmtstream_update dup
-+@c  argp_fmtstream_printf glocale, asmalloc, memleak
-+@c   argp_fmtstream_ensure dup
-+@c   vsnprintf dup
-+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
-+@c   argp_fmtstream_update dup
-+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
-+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
-+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
-+@c     argp_fmtstream_update dup
-+@c     fxprintf lockleak
-+@c     realloc asmalloc, memleak
- Outputs a help message for the argp parser referred to by @var{state},
- to @var{stream}.  The @var{flags} argument determines what sort of help
- message is produced.  @xref{Argp Help Flags}.
-@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
- @comment argp.h
- @comment GNU
- @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
-+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
-+@c Just calls _help.  
- This outputs a help message for the argp parser @var{argp} to
- @var{stream}.  The type of messages printed will be determined by
- @var{flags}.
-diff --git a/manual/arith.texi b/manual/arith.texi
-index 833e0c9..5c3aa9d 100644
---- a/manual/arith.texi
-+++ b/manual/arith.texi
-@@ -323,6 +323,7 @@ floating-point number a variable holds.
- @comment math.h
- @comment ISO
- @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is a generic macro which works on all floating-point types and
- which returns a value of type @code{int}.  The possible values are:
- 
-@@ -359,6 +360,7 @@ You should therefore use the specific macros whenever possible.
- @comment math.h
- @comment ISO
- @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns a nonzero value if @var{x} is finite: not plus or
- minus infinity, and not NaN.  It is equivalent to
- 
-@@ -373,6 +375,7 @@ floating-point type.
- @comment math.h
- @comment ISO
- @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns a nonzero value if @var{x} is finite and normalized.
- It is equivalent to
- 
-@@ -384,6 +387,7 @@ It is equivalent to
- @comment math.h
- @comment ISO
- @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
- to
- 
-@@ -395,6 +399,7 @@ to
- @comment math.h
- @comment GNU
- @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns a nonzero value if @var{x} is a signaling NaN
- (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
- extension.
-@@ -2443,6 +2448,32 @@ as well.
- @safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
- @c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
- @c mpn, but it's all safe.
-+@c
-+@c round_and_return
-+@c   get_rounding_mode ok
-+@c   mpn_add_1 ok
-+@c   mpn_rshift ok
-+@c   MPN_ZERO ok
-+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
-+@c str_to_mpn
-+@c   mpn_mul_1 -> umul_ppmm ok
-+@c   mpn_add_1 ok
-+@c mpn_lshift_1 -> mpn_lshift ok
-+@c STRTOF_INTERNAL
-+@c   MPN_VAR ok
-+@c   SET_MANTISSA ok
-+@c   STRNCASECMP ok, wide and narrow
-+@c   round_and_return ok
-+@c   mpn_mul ok
-+@c     mpn_addmul_1 ok
-+@c     ... mpn_sub
-+@c   mpn_lshift ok
-+@c   udiv_qrnnd ok
-+@c   count_leading_zeros ok
-+@c   add_ssaaaa ok
-+@c   sub_ddmmss ok
-+@c   umul_ppmm ok
-+@c   mpn_submul_1 ok
- The @code{strtod} (``string-to-double'') function converts the initial
- part of @var{string} to a floating-point number, which is returned as a
- value of type @code{double}.
-diff --git a/manual/charset.texi b/manual/charset.texi
-index e21502e..7e6c416 100644
---- a/manual/charset.texi
-+++ b/manual/charset.texi
-@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
- @comment wchar.h
- @comment ISO
- @deftypefun int mbsinit (const mbstate_t *@var{ps})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c ps is dereferenced once, unguarded.  Potential harmless data race.
- The @code{mbsinit} function determines whether the state object pointed
- to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
- the object is in the initial state the return value is nonzero.  Otherwise
-@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
- @comment wchar.h
- @comment ISO
- @deftypefun wint_t btowc (int @var{c})
-+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
-+@c Calls btowc_fct or __fct; reads from locale, and from the
-+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
-+@c __wcsmbs_load_conv to initialize the ctype if it's null.
-+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
-+@c memory for the fcts structure, initializing it, and then storing it
-+@c in the locale object.  The initialization involves dlopening and a
-+@c lot more.
- The @code{btowc} function (``byte to wide character'') converts a valid
- single byte character @var{c} in the initial shift state into the wide
- character equivalent using the conversion rules from the currently
-@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
- @comment wchar.h
- @comment ISO
- @deftypefun int wctob (wint_t @var{c})
-+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{wctob} function (``wide character to byte'') takes as the
- parameter a valid wide character.  If the multibyte representation for
- this character in the initial state is exactly one byte long, the return
-@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
- @comment wchar.h
- @comment ISO
- @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
-+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- @cindex stateful
- The @code{mbrtowc} function (``multibyte restartable to wide
- character'') converts the next multibyte character in the string pointed
-@@ -728,6 +740,7 @@ function that does part of the work.
- @comment wchar.h
- @comment ISO
- @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
-+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{mbrlen} function (``multibyte restartable length'') computes
- the number of at most @var{n} bytes starting at @var{s}, which form the
- next valid and complete multibyte character.
-@@ -811,6 +824,50 @@ doing the work twice.
- @comment wchar.h
- @comment ISO
- @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
-+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
-+@c wcrtomb uses a static, non-thread-local unguarded state variable when
-+@c PS is NULL.  When a state is passed in, and it's not used
-+@c concurrently in other threads, this function behaves safely as long
-+@c as gconv modules don't bring MT safety issues of their own.
-+@c Attempting to load gconv modules or to build conversion chains in
-+@c signal handlers may encounter gconv databases or caches in a
-+@c partially-updated state, and asynchronous cancellation may leave them
-+@c in such states, besides leaking the lock that guards them.
-+@c get_gconv_fcts ok
-+@c    wcsmbs_load_conv ok
-+@c      norm_add_slashes ok
-+@c      wcsmbs_getfct ok
-+@c        gconv_find_transform ok
-+@c          gconv_read_conf (libc_once)
-+@c          gconv_lookup_cache ok
-+@c            find_module_idx ok
-+@c            find_module ok
-+@c              gconv_find_shlib (ok)
-+@c              ->init_fct (assumed ok)
-+@c            gconv_get_builtin_trans ok
-+@c            gconv_release_step ok
-+@c          do_lookup_alias ok
-+@c          find_derivation ok
-+@c            derivation_lookup ok
-+@c            increment_counter ok
-+@c              gconv_find_shlib ok
-+@c              step->init_fct (assumed ok)
-+@c            gen_steps ok
-+@c              gconv_find_shlib ok
-+@c                dlopen (presumed ok)
-+@c                dlsym (presumed ok)
-+@c              step->init_fct (assumed ok)
-+@c              step->end_fct (assumed ok)
-+@c              gconv_get_builtin_trans ok
-+@c              gconv_release_step ok
-+@c            add_derivation ok
-+@c      gconv_close_transform ok
-+@c        gconv_release_step ok
-+@c          step->end_fct (assumed ok)
-+@c          gconv_release_shlib ok
-+@c            dlclose (presumed ok)
-+@c        gconv_release_cache ok
-+@c  ->tomb->__fct (assumed ok)
- The @code{wcrtomb} function (``wide character restartable to
- multibyte'') converts a single wide character into a multibyte string
- corresponding to that wide character.
-@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
- @comment wchar.h
- @comment ISO
- @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
-+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{mbsrtowcs} function (``multibyte string restartable to wide
- character string'') converts an NUL-terminated multibyte character
- string at @code{*@var{src}} into an equivalent wide character string,
-@@ -1039,6 +1097,7 @@ length and passing this length to the function.
- @comment wchar.h
- @comment ISO
- @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
-+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{wcsrtombs} function (``wide character string restartable to
- multibyte string'') converts the NUL-terminated wide character string at
- @code{*@var{src}} into an equivalent multibyte character string and
-@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
- @comment wchar.h
- @comment GNU
- @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
-+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
- function.  All the parameters are the same except for @var{nmc}, which is
- new.  The return value is the same as for @code{mbsrtowcs}.
-@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
- @comment wchar.h
- @comment GNU
- @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
-+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{wcsnrtombs} function implements the conversion from wide
- character strings to multibyte character strings.  It is similar to
- @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
-@@ -1280,6 +1341,7 @@ conversion functions.}
- @comment stdlib.h
- @comment ISO
- @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
-+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{mbtowc} (``multibyte to wide character'') function when called
- with non-null @var{string} converts the first multibyte character
- beginning at @var{string} to its corresponding wide character code.  It
-@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
- @comment stdlib.h
- @comment ISO
- @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
-+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{wctomb} (``wide character to multibyte'') function converts
- the wide character code @var{wchar} to its corresponding multibyte
- character sequence, and stores the result in bytes starting at
-@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
- @comment stdlib.h
- @comment ISO
- @deftypefun int mblen (const char *@var{string}, size_t @var{size})
-+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{mblen} function with a non-null @var{string} argument returns
- the number of bytes that make up the multibyte character beginning at
- @var{string}, never examining more than @var{size} bytes.  (The idea is
-@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
- @comment stdlib.h
- @comment ISO
- @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
-+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
-+@c Odd...  Although this is in the non-reentrant section, the state
-+@c object is automatic, not a static buffer.
- The @code{mbstowcs} (``multibyte string to wide character string'')
- function converts the null-terminated string of multibyte characters
- @var{string} to an array of wide character codes, storing not more than
-@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
- @comment stdlib.h
- @comment ISO
- @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
-+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
- The @code{wcstombs} (``wide character string to multibyte string'')
- function converts the null-terminated wide character array @var{wstring}
- into a string containing multibyte characters, storing not more than
-@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
- @comment iconv.h
- @comment XPG2
- @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
-+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
-+@c strip and upstr on both, then gconv_open.  strip and upstr call
-+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
-+@c tokenize toset, replace unspecified codesets with the current locale
-+@c (posibly two different accesses), and finally it calls
-+@c gconv_find_transform and initializes the gconv_t result with all the
-+@c steps in the conversion sequence, running each one's initializer,
-+@c destructing and releasing them all if anything fails.
-+
- The @code{iconv_open} function has to be used before starting a
- conversion.  The two parameters this function takes determine the
- source and destination character set for the conversion, and if the
-@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
- @comment iconv.h
- @comment XPG2
- @deftypefun int iconv_close (iconv_t @var{cd})
-+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
-+@c Calls gconv_close to destruct and release each of the conversion
-+@c steps, release the gconv_t object, then call gconv_close_transform.
-+@c Access to the gconv_t object is not guarded, but calling iconv_close
-+@c concurrently with any other use is undefined.
-+
- The @code{iconv_close} function frees all resources associated with the
- handle @var{cd}, which must have been returned by a successful call to
- the @code{iconv_open} function.
-@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
- @comment iconv.h
- @comment XPG2
- @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
-+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
-+@c Without guarding access to the gconv_t object pointed to by cd, call
-+@c the conversion function to convert inbuf or flush the internal
-+@c conversion state.
- @cindex stateful
- The @code{iconv} function converts the text in the input buffer
- according to the rules associated with the descriptor @var{cd} and
-diff --git a/manual/conf.texi b/manual/conf.texi
-index 7eb8b36..edbb2fd 100644
---- a/manual/conf.texi
-+++ b/manual/conf.texi
-@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun {long int} sysconf (int @var{parameter})
-+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
-+@c Some parts of the implementation open /proc and /sys files and dirs
-+@c to collect system details, using fd and stream I/O depending on the
-+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
-+@c calls tzset_internal, that calls getenv if it's called the first
-+@c time; there are free and strdup calls in there too.  The returned max
-+@c value may change over time for TZNAME_MAX, depending on selected
-+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
-+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
-+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
-+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
- This function is used to inquire about runtime system parameters.  The
- @var{parameter} argument should be one of the @samp{_SC_} symbols listed
- below.
-@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
-+@c When __statfs_link_max finds an ext* filesystem, it may read
-+@c /proc/mounts or similar as a mntent stream.
-+@c __statfs_chown_restricted may read from
-+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
- This function is used to inquire about the limits that apply to
- the file named @var{filename}.
- 
-@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
-+@c Same caveats as pathconf.
- This is just like @code{pathconf} except that an open file descriptor
- is used to specify the file for which information is requested, instead
- of a file name.
-@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
- @comment unistd.h
- @comment POSIX.2
- @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function reads the value of a string-valued system parameter,
- storing the string into @var{len} bytes of memory space starting at
- @var{buf}.  The @var{parameter} argument should be one of the
-diff --git a/manual/crypt.texi b/manual/crypt.texi
-index ef90590..5c9f6f7 100644
---- a/manual/crypt.texi
-+++ b/manual/crypt.texi
-@@ -92,7 +92,13 @@ in a convenient way.
- @comment unistd.h
- @comment BSD
- @deftypefun {char *} getpass (const char *@var{prompt})
--
-+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
-+@c This function will attempt to create a stream for terminal I/O, but
-+@c will fallback to stdio/stderr.  It attempts to change the terminal
-+@c mode in a thread-unsafe way, write out the prompt, read the password,
-+@c then restore the terminal mode.  It has a cleanup to close the stream
-+@c in case of (synchronous) cancellation, but not to restore the
-+@c terminal mode.
- @code{getpass} outputs @var{prompt}, then reads a string in from the
- terminal without echoing it.  It tries to connect to the real terminal,
- @file{/dev/tty}, if possible, to encourage users not to put plaintext
-@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
- @comment crypt.h
- @comment BSD, SVID
- @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
-+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
-+@c Besides the obvious problem of returning a pointer into static
-+@c storage, the DES initializer takes an internal lock with the usual
-+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
-+@c NSS implementations of may leak file descriptors if canceled.  The
-+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
-+@c and NSS relies on dlopening, which brings about another can of worms.
- 
- The @code{crypt} function takes a password, @var{key}, as a string, and
- a @var{salt} character array which is described below, and returns a
-@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
- @comment crypt.h
- @comment GNU
- @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
-+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
-+@c Compared with crypt, this function fixes the staticbuf problem, but
-+@c nothing else.
- 
- The @code{crypt_r} function does the same thing as @code{crypt}, but
- takes an extra parameter which includes space for its result (among
-@@ -233,6 +249,11 @@ specifies the unused bits.
- @comment crypt.h
- @comment BSD, SVID
- @deftypefun void setkey (const char *@var{key})
-+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
-+@c The static buffer stores the key, making it fundamentally
-+@c thread-unsafe.  The locking issues are only in the initialization
-+@c path; cancelling the initialization will leave the lock held, it
-+@c would otherwise repeat the initialization on the next call.
- 
- The @code{setkey} function sets an internal data structure to be an
- expanded form of @var{key}.  @var{key} is specified as an array of 64
-@@ -244,6 +265,8 @@ parity.
- @comment crypt.h
- @comment BSD, SVID
- @deftypefun void encrypt (char *@var{block}, int @var{edflag})
-+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
-+@c Same issues as setkey.
- 
- The @code{encrypt} function encrypts @var{block} if
- @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
-@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
- @comment crypt.h
- @comment GNU
- @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
-+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
- @comment crypt.h
- @comment GNU
- @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
-+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
- 
- These are reentrant versions of @code{setkey} and @code{encrypt}.  The
- only difference is the extra parameter, which stores the expanded
-@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
- @comment rpc/des_crypt.h
- @comment SUNRPC
- @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- The function @code{ecb_crypt} encrypts or decrypts one or more blocks
- using DES.  Each block is encrypted independently.
-@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
- @comment rpc/des_crypt.h
- @comment SUNRPC
- @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- The function @code{cbc_crypt} encrypts or decrypts one or more blocks
- using DES in Cipher Block Chaining mode.
-@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
- @comment rpc/des_crypt.h
- @comment SUNRPC
- @deftypefun void des_setparity (char *@var{key})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- The function @code{des_setparity} changes the 64-bit @var{key}, stored
- packed in 8-bit bytes, to have odd parity by altering the low bits of
-diff --git a/manual/debug.texi b/manual/debug.texi
-index 1db9c18..ce0c263 100644
---- a/manual/debug.texi
-+++ b/manual/debug.texi
-@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
- @comment execinfo.h
- @comment GNU
- @deftypefun int backtrace (void **@var{buffer}, int @var{size})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Pointer chasing within the local stack.
- The @code{backtrace} function obtains a backtrace for the current
- thread, as a list of pointers, and places the information into
- @var{buffer}.  The argument @var{size} should be the number of
-@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
- @comment execinfo.h
- @comment GNU
- @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
-+@c Collects info returned by _dl_addr in auto array, allocates memory
-+@c for the whole return buffer with malloc then sprintfs into it storing
-+@c pointers to the strings into the array entries in the buffer.
-+@c _dl_addr takes the recursive dl_load_lock then calls
-+@c _dl_find_dso_for_object and determine_info.
-+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
-+@c All of them are safe as long as the lock is held.
-+@c asynconsist?  It doesn't looke like the dynamic loader's data
-+@c structures could be in an inconsistent state that would cause
-+@c malfunction here.
- The @code{backtrace_symbols} function translates the information
- obtained from the @code{backtrace} function into an array of strings.
- The argument @var{buffer} should be a pointer to an array of addresses
-@@ -88,6 +101,11 @@ cannot be obtained.
- @comment execinfo.h
- @comment GNU
- @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
-+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
-+@c Single loop of _dl_addr over addresses, collecting info into an iovec
-+@c written out with a writev call per iteration.  Addresses and offsets
-+@c are converted to hex in auto buffers, so the only potential issue
-+@c here is leaking the dl lock in case of cancellation.
- The @code{backtrace_symbols_fd} function performs the same translation
- as the function @code{backtrace_symbols} function.  Instead of returning
- the strings to the caller, it writes the strings to the file descriptor
-diff --git a/manual/errno.texi b/manual/errno.texi
-index 6c9fa86..eb3f412 100644
---- a/manual/errno.texi
-+++ b/manual/errno.texi
-@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
- @comment string.h
- @comment ISO
- @deftypefun {char *} strerror (int @var{errnum})
-+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
-+@c Calls strerror_r with a static buffer allocated with malloc on the
-+@c first use.
- The @code{strerror} function maps the error code (@pxref{Checking for
- Errors}) specified by the @var{errnum} argument to a descriptive error
- message string.  The return value is a pointer to this string.
-@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
- @comment string.h
- @comment GNU
- @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
-+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
- The @code{strerror_r} function works like @code{strerror} but instead of
- returning the error message in a statically allocated buffer shared by
- all threads in the process, it returns a private copy for the
-@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
- @comment stdio.h
- @comment ISO
- @deftypefun void perror (const char *@var{message})
-+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
-+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
-+@c oriented yet, create a new stream with a dup of stderr's fd and write
-+@c to that instead of stderr, to avoid orienting it.
- This function prints an error message to the stream @code{stderr};
- see @ref{Standard Streams}.  The orientation of @code{stderr} is not
- changed.
-@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
- @comment error.h
- @comment GNU
- @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
-+@c Cancellation is disabled throught the execution.  It flushes stdout
-+@c and then holds a lock on stderr while printing the program name and
-+@c then running error_tail.  The non-wide case just runs vfprintf; the
-+@c wide case converts the message to an alloca/malloc-allocated buffer
-+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
-+@c print_errno_message calls strerror_r and fxprintf.
- The @code{error} function can be used to report general problems during
- program execution.  The @var{format} argument is a format string just
- like those given to the @code{printf} family of functions.  The
-@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
- @comment error.h
- @comment GNU
- @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
-+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
-+@c The error_one_per_line variable is accessed (without any form of
-+@c synchronization, but since it's an int used once, it should be safe
-+@c enough) and, if this mode is enabled, static variables used to hold
-+@c the last printed file name and line number are accessed and modified
-+@c without synchronization; the update is not atomic and it occurs
-+@c before disabling cancellation, so it can be interrupted after only
-+@c one of the two variables is modified.  After that, it's very much
-+@c like error.
- 
- The @code{error_at_line} function is very similar to the @code{error}
- function.  The only difference are the additional parameters @var{fname}
-@@ -1582,6 +1606,8 @@ are included only for compatibility.
- @comment err.h
- @comment BSD
- @deftypefun void warn (const char *@var{format}, @dots{})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
-+@c Just calls vwarn with the va_list.
- The @code{warn} function is roughly equivalent to a call like
- @smallexample
-   error (0, errno, format, @r{the parameters})
-@@ -1594,6 +1620,11 @@ are not used.
- @comment err.h
- @comment BSD
- @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
-+@c While holding stderr's recursive lock, it prints the programname, the
-+@c given message, and the error string with fw?printf's %m.  When the
-+@c stream is wide, convert_and_print converts the format string to an
-+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
- The @code{vwarn} function is just like @code{warn} except that the
- parameters for the handling of the format string @var{format} are passed
- in as an value of type @code{va_list}.
-@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
- @comment err.h
- @comment BSD
- @deftypefun void warnx (const char *@var{format}, @dots{})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
-+@c Same as warn, but without the strerror translation issues.
- The @code{warnx} function is roughly equivalent to a call like
- @smallexample
-   error (0, 0, format, @r{the parameters})
-@@ -1615,6 +1648,8 @@ string is printed.
- @comment err.h
- @comment BSD
- @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
-+@c Same as vwarn, but without the strerror translation issues.
- The @code{vwarnx} function is just like @code{warnx} except that the
- parameters for the handling of the format string @var{format} are passed
- in as an value of type @code{va_list}.
-@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
- @comment err.h
- @comment BSD
- @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
-+@c Same as warn followed by exit.
- The @code{err} function is roughly equivalent to a call like
- @smallexample
-   error (status, errno, format, @r{the parameters})
-@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
- @comment err.h
- @comment BSD
- @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
-+@c Same as vwarn followed by exit.
- The @code{verr} function is just like @code{err} except that the
- parameters for the handling of the format string @var{format} are passed
- in as an value of type @code{va_list}.
-@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
- @comment err.h
- @comment BSD
- @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
-+@c Same as warnx followed by exit.
- The @code{errx} function is roughly equivalent to a call like
- @smallexample
-   error (status, 0, format, @r{the parameters})
-@@ -1657,6 +1698,8 @@ string is printed.
- @comment err.h
- @comment BSD
- @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
-+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
-+@c Same as vwarnx followed by exit.
- The @code{verrx} function is just like @code{errx} except that the
- parameters for the handling of the format string @var{format} are passed
- in as an value of type @code{va_list}.
-diff --git a/manual/filesys.texi b/manual/filesys.texi
-index 1df9cf2..2244025 100644
---- a/manual/filesys.texi
-+++ b/manual/filesys.texi
-@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
- @comment unistd.h
- @comment POSIX.1
- @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c If buffer is NULL, this function calls malloc and realloc, and, in
-+@c case of error, free.  Linux offers a getcwd syscall that we use on
-+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
-+@c fallback, and on other systems, the generic implementation opens each
-+@c parent directory with opendir, which allocates memory for the
-+@c directory stream with malloc.  If a fstatat64 syscall is not
-+@c available, very deep directory trees may also have to malloc to build
-+@c longer sequences of ../../../... than those supported by a global
-+@c const read-only string.
-+
-+@c linux/__getcwd
-+@c  posix/__getcwd
-+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
-+@c   lstat64 -> see its own entry
-+@c   fstatat64
-+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
-+@c   openat64_not_cancel_3, close_not_cancel_no_status
-+@c   __fdopendir, __opendir, __readdir, rewinddir
- The @code{getcwd} function returns an absolute file name representing
- the current working directory, storing it in the character array
- @var{buffer} that you provide.  The @var{size} argument is how you tell
-@@ -116,6 +135,9 @@ software.
- @comment unistd.h
- @comment BSD
- @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
-+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
-+@c Besides the getcwd safety issues, it calls strerror_r on error, which
-+@c brings in all of the i18n issues.
- This is similar to @code{getcwd}, but has no way to specify the size of
- the buffer.  @Theglibc{} provides @code{getwd} only
- for backwards compatibility with BSD.
-@@ -130,6 +152,9 @@ this function is deprecated.
- @comment unistd.h
- @comment GNU
- @deftypefun {char *} get_current_dir_name (void)
-+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Besides getcwd, which this function calls as a fallback, it calls
-+@c getenv, with the usual thread-safety issues that brings about.
- @vindex PWD
- This @code{get_current_dir_name} function is basically equivalent to
- @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
-@@ -145,6 +170,7 @@ This function is a GNU extension.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int chdir (const char *@var{filename})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is used to set the process's working directory to
- @var{filename}.
- 
-@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
- @comment unistd.h
- @comment XPG
- @deftypefun int fchdir (int @var{filedes})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is used to set the process's working directory to
- directory associated with the file descriptor @var{filedes}.
- 
-@@ -294,12 +321,14 @@ values and @code{st_mode} values:
- @comment dirent.h
- @comment BSD
- @deftypefun int IFTODT (mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This returns the @code{d_type} value corresponding to @var{mode}.
- @end deftypefun
- 
- @comment dirent.h
- @comment BSD
- @deftypefun mode_t DTTOIF (int @var{dtype})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This returns the @code{st_mode} value corresponding to @var{dtype}.
- @end deftypefun
- @end table
-@@ -342,6 +371,9 @@ the following functions.
- @comment dirent.h
- @comment POSIX.1
- @deftypefun {DIR *} opendir (const char *@var{dirname})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Besides the safe syscall, we have to allocate the DIR object with
-+@c __alloc_dir, that calls malloc.
- The @code{opendir} function opens and returns a directory stream for
- reading the directory whose file name is @var{dirname}.  The stream has
- type @code{DIR *}.
-@@ -381,6 +413,8 @@ alternative interface can be used.
- @comment dirent.h
- @comment GNU
- @deftypefun {DIR *} fdopendir (int @var{fd})
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c The DIR object is allocated with __alloc_dir, that calls malloc.
- The @code{fdopendir} function works just like @code{opendir} but
- instead of taking a file name and opening a file descriptor for the
- directory the caller is required to provide a file descriptor.  This
-@@ -425,6 +459,7 @@ access.
- @comment dirent.h
- @comment GNU
- @deftypefun int dirfd (DIR *@var{dirstream})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The function @code{dirfd} returns the file descriptor associated with
- the directory stream @var{dirstream}.  This descriptor can be used until
- the directory is closed with @code{closedir}.  If the directory stream
-@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
- @comment dirent.h
- @comment POSIX.1
- @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
-+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
-+@c This function holds dirstream's non-recursive lock, which brings
-+@c about the usual issues with locks and async signals and cancellation,
-+@c but the lock taking is not enough to make the returned value safe to
-+@c use, since it points to a stream's internal buffer that can be
-+@c overwritten by subsequent calls or even released by closedir.
- This function reads the next entry from the directory.  It normally
- returns a pointer to a structure containing information about the file.
- This structure is statically allocated and can be rewritten by a
-@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
- @comment dirent.h
- @comment GNU
- @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- This function is the reentrant version of @code{readdir}.  Like
- @code{readdir} it returns the next entry from the directory.  But to
- prevent conflicts between simultaneously running threads the result is
-@@ -516,6 +558,7 @@ of the last two functions.
- @comment dirent.h
- @comment LFS
- @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
-+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- The @code{readdir64} function is just like the @code{readdir} function
- except that it returns a pointer to a record of type @code{struct
- dirent64}.  Some of the members of this data type (notably @code{d_ino})
-@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
- @comment dirent.h
- @comment LFS
- @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- The @code{readdir64_r} function is equivalent to the @code{readdir_r}
- function except that it takes parameters of base type @code{struct
- dirent64} instead of @code{struct dirent} in the second and third
-@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
- @comment dirent.h
- @comment POSIX.1
- @deftypefun int closedir (DIR *@var{dirstream})
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
-+@c No synchronization in the posix implementation, only in the hurd
-+@c one.  This is regarded as safe because it is undefined behavior if
-+@c other threads could still be using the dir stream while it's closed.
- This function closes the directory stream @var{dirstream}.  It returns
- @code{0} on success and @code{-1} on failure.
- 
-@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
- @comment dirent.h
- @comment POSIX.1
- @deftypefun void rewinddir (DIR *@var{dirstream})
-+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
- The @code{rewinddir} function is used to reinitialize the directory
- stream @var{dirstream}, so that if you call @code{readdir} it
- returns information about the first entry in the directory again.  This
-@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
- @comment dirent.h
- @comment BSD
- @deftypefun {long int} telldir (DIR *@var{dirstream})
-+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
-+@c The implementation is safe on most platforms, but on BSD it uses
-+@c cookies, buckets and records, and the global array of pointers to
-+@c dynamically allocated records is guarded by a non-recursive lock.
- The @code{telldir} function returns the file position of the directory
- stream @var{dirstream}.  You can use this value with @code{seekdir} to
- restore the directory stream to that position.
-@@ -597,6 +650,10 @@ restore the directory stream to that position.
- @comment dirent.h
- @comment BSD
- @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
-+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
-+@c The implementation is safe on most platforms, but on BSD it uses
-+@c cookies, buckets and records, and the global array of pointers to
-+@c dynamically allocated records is guarded by a non-recursive lock.
- The @code{seekdir} function sets the file position of the directory
- stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
- result of a previous call to @code{telldir} on this particular stream;
-@@ -616,6 +673,19 @@ the result.
- @comment dirent.h
- @comment BSD/SVID
- @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
-+@c The scandir function calls __opendirat, __readdir, and __closedir to
-+@c go over the named dir; malloc and realloc to allocate the namelist
-+@c and copies of each selected dirent, besides the selector, if given,
-+@c and qsort and the cmp functions if the latter is given.  In spite of
-+@c the cleanup handler that releases memory and the file descriptor in
-+@c case of synchronous cancellation, an asynchronous cancellation may
-+@c still leak memory and a file descriptor.  Although readdir is unsafe
-+@c in general, the use of an internal dir stream for sequential scanning
-+@c of the directory with copying of dirents before subsequent calls
-+@c makes the use safe, and the fact that the dir stream is private to
-+@c each scandir call does away with the lock issues in readdir and
-+@c closedir.
- 
- The @code{scandir} function scans the contents of the directory selected
- by @var{dir}.  The result in *@var{namelist} is an array of pointers to
-@@ -646,6 +716,8 @@ are very helpful for this purpose.
- @comment dirent.h
- @comment BSD/SVID
- @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@c Calls strcoll.
- The @code{alphasort} function behaves like the @code{strcoll} function
- (@pxref{String/Array Comparison}).  The difference is that the arguments
- are not string pointers but instead they are of type
-@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
- @comment dirent.h
- @comment GNU
- @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-+@c Calls strverscmp.
- The @code{versionsort} function is like @code{alphasort} except that it
- uses the @code{strverscmp} function internally.
- @end deftypefun
-@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
- @comment dirent.h
- @comment GNU
- @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
-+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
-+@c See scandir.
- The @code{scandir64} function works like the @code{scandir} function
- except that the directory entries it returns are described by elements
- of type @w{@code{struct dirent64}}.  The function pointed to by
-@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
- @comment dirent.h
- @comment GNU
- @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
-+@c See alphasort.
- The @code{alphasort64} function behaves like the @code{strcoll} function
- (@pxref{String/Array Comparison}).  The difference is that the arguments
- are not string pointers but instead they are of type
-@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
- @comment dirent.h
- @comment GNU
- @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
-+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
-+@c See versionsort.
- The @code{versionsort64} function is like @code{alphasort64}, excepted that it
- uses the @code{strverscmp} function internally.
- @end deftypefun
-@@ -880,6 +960,8 @@ file was passed).
- @comment ftw.h
- @comment SVID
- @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
-+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
-+@c see nftw for safety details
- The @code{ftw} function calls the callback function given in the
- parameter @var{func} for every item which is found in the directory
- specified by @var{filename} and all directories below.  The function
-@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
- @comment ftw.h
- @comment Unix98
- @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
-+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
- This function is similar to @code{ftw} but it can work on filesystems
- with large files.  File information is reported using a variable of type
- @code{struct stat64} which is passed by reference to the callback
-@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
- @comment ftw.h
- @comment XPG4.2
- @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
-+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
-+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
-+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
-+@c  if FTW_CHDIR, also calls fchdir
-+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
-+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
-+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
-+@c  find_object (tsearch) and add_object (tfind).  
-+@c Since each invocation of *ftw uses its own private search tree, none
-+@c  of the search tree concurrency issues apply.
- The @code{nftw} function works like the @code{ftw} functions.  They call
- the callback function @var{func} for all items found in the directory
- @var{filename} and below.  At most @var{descriptors} file descriptors
-@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
- @comment ftw.h
- @comment Unix98
- @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
-+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
- This function is similar to @code{nftw} but it can work on filesystems
- with large files.  File information is reported using a variable of type
- @code{struct stat64} which is passed by reference to the callback
-@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{link} function makes a new link to the existing file named by
- @var{oldname}, under the new name @var{newname}.
- 
-@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
- @comment unistd.h
- @comment BSD
- @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{symlink} function makes a symbolic link to @var{oldname} named
- @var{newname}.
- 
-@@ -1190,6 +1287,7 @@ exceeded.
- @comment unistd.h
- @comment BSD
- @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{readlink} function gets the value of the symbolic link
- @var{filename}.  The file name that the link points to is copied into
- @var{buffer}.  This file name string is @emph{not} null-terminated;
-@@ -1249,6 +1347,8 @@ names can refer to the same inode.
- @comment stdlib.h
- @comment GNU
- @deftypefun {char *} canonicalize_file_name (const char *@var{name})
-+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Calls realpath.
- 
- The @code{canonicalize_file_name} function returns the absolute name of
- the file named by @var{name} which contains no @code{.}, @code{..}
-@@ -1290,6 +1390,8 @@ where the result is placed in.
- @comment stdlib.h
- @comment XPG
- @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
-+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
-+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
- 
- A call to @code{realpath} where the @var{resolved} parameter is
- @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
-@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int unlink (const char *@var{filename})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{unlink} function deletes the file name @var{filename}.  If
- this is a file's sole name, the file itself is also deleted.  (Actually,
- if any process has the file open when this happens, deletion is
-@@ -1371,6 +1474,7 @@ file system and can't be modified.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int rmdir (const char *@var{filename})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- @cindex directories, deleting
- @cindex deleting a directory
- The @code{rmdir} function deletes a directory.  The directory must be
-@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
- @comment stdio.h
- @comment ISO
- @deftypefun int remove (const char *@var{filename})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Calls unlink and rmdir.
- This is the @w{ISO C} function to remove a file.  It works like
- @code{unlink} for files and like @code{rmdir} for directories.
- @code{remove} is declared in @file{stdio.h}.
-@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
- @comment stdio.h
- @comment ISO
- @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c In the absence of a rename syscall, there's an emulation with link
-+@c and unlink, but it's racy, even more so if newname exists and is
-+@c unlinked first.
- The @code{rename} function renames the file @var{oldname} to
- @var{newname}.  The file formerly accessible under the name
- @var{oldname} is afterwards accessible as @var{newname} instead.  (If
-@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{mkdir} function creates a new, empty directory with name
- @var{filename}.
- 
-@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{stat} function returns information about the attributes of the
- file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
- 
-@@ -1875,6 +1987,7 @@ replaces the normal implementation.
- @comment sys/stat.h
- @comment Unix98
- @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is similar to @code{stat} but it is also able to work on
- files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
- this the result is stored in a variable of type @code{struct stat64} to
-@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{fstat} function is like @code{stat}, except that it takes an
- open file descriptor as an argument instead of a file name.
- @xref{Low-Level I/O}.
-@@ -1909,6 +2023,7 @@ replaces the normal implementation.
- @comment sys/stat.h
- @comment Unix98
- @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function is similar to @code{fstat} but is able to work on large
- files on 32-bit platforms.  For large files the file descriptor
- @var{filedes} should be obtained by @code{open64} or @code{creat64}.
-@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
- replaces the interface for small files on 32-bit machines.
- @end deftypefun
- 
-+@c fstatat will call alloca and snprintf if the syscall is not
-+@c available.
-+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
-+
- @comment sys/stat.h
- @comment BSD
- @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Direct system call through lxstat, sometimes with an xstat conv call
-+@c afterwards.
- The @code{lstat} function is like @code{stat}, except that it does not
- follow symbolic links.  If @var{filename} is the name of a symbolic
- link, @code{lstat} returns information about the link itself; otherwise
-@@ -1936,6 +2058,9 @@ replaces the normal implementation.
- @comment sys/stat.h
- @comment Unix98
- @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Direct system call through lxstat64, sometimes with an xstat conv
-+@c call afterwards.
- This function is similar to @code{lstat} but it is also able to work on
- files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
- this the result is stored in a variable of type @code{struct stat64} to
-@@ -1974,12 +2099,14 @@ that file:
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISDIR (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a directory.
- @end deftypefn
- 
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISCHR (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a character special file (a
- device like a terminal).
- @end deftypefn
-@@ -1987,6 +2114,7 @@ device like a terminal).
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISBLK (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a block special file (a device
- like a disk).
- @end deftypefn
-@@ -1994,12 +2122,14 @@ like a disk).
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISREG (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a regular file.
- @end deftypefn
- 
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_ISFIFO (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a FIFO special file, or a
- pipe.  @xref{Pipes and FIFOs}.
- @end deftypefn
-@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
- @comment sys/stat.h
- @comment GNU
- @deftypefn Macro int S_ISLNK (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a symbolic link.
- @xref{Symbolic Links}.
- @end deftypefn
-@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
- @comment sys/stat.h
- @comment GNU
- @deftypefn Macro int S_ISSOCK (mode_t @var{m})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns non-zero if the file is a socket.  @xref{Sockets}.
- @end deftypefn
- 
-@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If the system implement POSIX message queues as distinct objects and the
- file is a message queue object, this macro returns a non-zero value.
- In all other cases the result is zero.
-@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If the system implement POSIX semaphores as distinct objects and the
- file is a semaphore object, this macro returns a non-zero value.
- In all other cases the result is zero.
-@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
- @comment sys/stat.h
- @comment POSIX
- @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If the system implement POSIX shared memory objects as distinct objects
- and the file is an shared memory object, this macro returns a non-zero
- value.  In all other cases the result is zero.
-@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{chown} function changes the owner of the file @var{filename} to
- @var{owner}, and its group owner to @var{group}.
- 
-@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
- @comment unistd.h
- @comment BSD
- @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is like @code{chown}, except that it changes the owner of the open
- file with descriptor @var{filedes}.
- 
-@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun mode_t umask (mode_t @var{mask})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{umask} function sets the file creation mask of the current
- process to @var{mask}, and returns the previous value of the file
- creation mask.
-@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
- @comment sys/stat.h
- @comment GNU
- @deftypefun mode_t getumask (void)
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Return the current value of the file creation mask for the current
- process.  This function is a GNU extension and is only available on
- @gnuhurdsystems{}.
-@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
- @comment sys/stat.h
- @comment POSIX.1
- @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{chmod} function sets the access permission bits for the file
- named by @var{filename} to @var{mode}.
- 
-@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
- @comment sys/stat.h
- @comment BSD
- @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is like @code{chmod}, except that it changes the permissions of the
- currently open file given by @var{filedes}.
- 
-@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
- @comment unistd.h
- @comment POSIX.1
- @deftypefun int access (const char *@var{filename}, int @var{how})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- The @code{access} function checks to see whether the file named by
- @var{filename} can be accessed in the way specified by the @var{how}
- argument.  The @var{how} argument either can be the bitwise OR of the
-@@ -2732,6 +2874,9 @@ This is the modification time for the file.
- @comment utime.h
- @comment POSIX.1
- @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c In the absence of a utime syscall, it non-atomically converts times
-+@c to a struct timeval and calls utimes.
- This function is used to modify the file times associated with the file
- named @var{filename}.
- 
-@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
- @comment sys/time.h
- @comment BSD
- @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c In the absence of a utimes syscall, it non-atomically converts tvp
-+@c to struct timespec array and issues a utimensat syscall, or to
-+@c struct utimbuf and calls utime.
- This function sets the file access and modification times of the file
- @var{filename}.  The new file access time is specified by
- @code{@var{tvp}[0]}, and the new modification time by
-@@ -2797,6 +2946,9 @@ function.
- @comment sys/time.h
- @comment BSD
- @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Since there's no lutimes syscall, it non-atomically converts tvp
-+@c to struct timespec array and issues a utimensat syscall.
- This function is like @code{utimes}, except that it does not follow
- symbolic links.  If @var{filename} is the name of a symbolic link,
- @code{lutimes} sets the file access and modification times of the
-@@ -2813,6 +2965,10 @@ function.
- @comment sys/time.h
- @comment BSD
- @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
-+@c Since there's no futimes syscall, it non-atomically converts tvp
-+@c to struct timespec array and issues a utimensat syscall, falling back
-+@c to utimes on a /proc/self/fd symlink.
- This function is like @code{utimes}, except that it takes an open file
- descriptor as an argument instead of a file name.  @xref{Low-Level
- I/O}.  This function comes from FreeBSD, and is not available on all
-@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
- @comment unistd.h
- @comment X/Open
- @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c In the absence of a truncate syscall, we use open and ftruncate.
- 
- The @code{truncate} function changes the size of @var{filename} to
- @var{length}.  If @var{length} is shorter than the previous length, data
-@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
- @comment unistd.h
- @comment Unix98
- @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c In the absence of a syscall, try truncate if length fits.
- This function is similar to the @code{truncate} function.  The
- difference is that the @var{length} argument is 64 bits wide even on 32
- bits machines, which allows the handling of files with sizes up to
-@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
- @comment unistd.h
- @comment POSIX
- @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- 
- This is like @code{truncate}, but it works on a file descriptor @var{fd}
- for an opened file instead of a file name to identify the object.  The
-@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
- @comment unistd.h
- @comment Unix98
- @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c In the absence of a syscall, try ftruncate if length fits.
- This function is similar to the @code{ftruncate} function.  The
- difference is that the @var{length} argument is 64 bits wide even on 32
- bits machines which allows the handling of files with sizes up to
-@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
- @comment sys/stat.h
- @comment BSD
- @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Instead of issuing the syscall directly, we go through xmknod.
-+@c Although the internal xmknod takes a dev_t*, that could lead to
-+@c xguargs races, it's passed a pointer to mknod's dev.
- The @code{mknod} function makes a special file with name @var{filename}.
- The @var{mode} specifies the mode of the file, and may include the various
- special file bits, such as @code{S_IFCHR} (for a character special file)
-@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
- @comment stdio.h
- @comment ISO
- @deftypefun {FILE *} tmpfile (void)
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
-+@c The unsafety issues are those of fdopen, plus fdleak because of the
-+@c open.
-+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
-+@c  libc_secure_genenv only if try_tmpdir
-+@c  xstat64, strlen, strcmp, sprintf
-+@c __gen_tempname (internal tmpl, __GT_FILE) ok
-+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
-+@c  HP_TIMING_NOW if available ok
-+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
-+@c  static value is used and modified without synchronization ok
-+@c   but the use is as a source of non-cryptographic randomness
-+@c   with retries in case of collision, so it should be safe
-+@c unlink, fdopen
- This function creates a temporary binary file for update mode, as if by
- calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
- automatically when it is closed or when the program terminates.  (On
-@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
- @comment stdio.h
- @comment Unix98
- @deftypefun {FILE *} tmpfile64 (void)
-+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
- This function is similar to @code{tmpfile}, but the stream it returns a
- pointer to was opened using @code{tmpfile64}.  Therefore this stream can
- be used for files larger then @math{2^31} bytes on 32-bit machines.
-@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
- @comment stdio.h
- @comment ISO
- @deftypefun {char *} tmpnam (char *@var{result})
-+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
-+@c The passed-in buffer should not be modified concurrently with the
-+@c call.
-+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
-+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
- This function constructs and returns a valid file name that does not
- refer to any existing file.  If the @var{result} argument is a null
- pointer, the return value is a pointer to an internal static string,
-@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
- @comment stdio.h
- @comment GNU
- @deftypefun {char *} tmpnam_r (char *@var{result})
-+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
- This function is nearly identical to the @code{tmpnam} function, except
- that if @var{result} is a null pointer it returns a null pointer.
- 
-@@ -3192,6 +3380,13 @@ never less than @code{25}.
- @comment stdio.h
- @comment SVID
- @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
-+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
-+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
-+@c even with a non-NULL dir, which makes this thread-unsafe.
-+@c
-+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
-+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
-+@c strdup
- This function generates a unique temporary file name.  If @var{prefix}
- is not a null pointer, up to five characters of this string are used as
- a prefix for the file name.  The return value is a string newly
-@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
- @comment stdlib.h
- @comment Unix
- @deftypefun {char *} mktemp (char *@var{template})
-+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
-+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
- The @code{mktemp} function generates a unique file name by modifying
- @var{template} as described above.  If successful, it returns
- @var{template} as modified.  If @code{mktemp} cannot find a unique file
-@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
- @comment stdlib.h
- @comment BSD
- @deftypefun int mkstemp (char *@var{template})
-+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
-+@c __gen_tempname (caller tmpl, __GT_FILE) ok
- The @code{mkstemp} function generates a unique file name just as
- @code{mktemp} does, but it also opens the file for you with @code{open}
- (@pxref{Opening and Closing Files}).  If successful, it modifies
-@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
- @comment stdlib.h
- @comment BSD
- @deftypefun {char *} mkdtemp (char *@var{template})
-+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
-+@c __gen_tempname (caller tmpl, __GT_DIR) ok
- The @code{mkdtemp} function creates a directory with a unique name.  If
- it succeeds, it overwrites @var{template} with the name of the
- directory, and returns @var{template}.  As with @code{mktemp} and
-@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
- @xref{Creating Directories}.
- 
- The @code{mkdtemp} function comes from OpenBSD.
-+
-+@c FIXME these are undocumented:
-+@c faccessat
-+@c fchmodat
-+@c fchownat
-+@c futimesat
-+@c fstatat
-+@c linkat
-+@c mkdirat
-+@c mkfifoat
-+@c name_to_handle_at
-+@c openat
-+@c open_by_handle_at
-+@c readlinkat
-+@c renameat
-+@c scandirat
-+@c symlinkat
-+@c unlinkat
-+@c utimensat
-+@c mknodat
-diff --git a/manual/getopt.texi b/manual/getopt.texi
-index f0b7283..3c1f4de 100644
---- a/manual/getopt.texi
-+++ b/manual/getopt.texi
-@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
- @comment unistd.h
- @comment POSIX.2
- @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
-+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
-+@c It may swap argv elements but argv is not guarded, and the
-+@c modifications may be partial in case of cancellation.  Calling getenv
-+@c also brings about thread-safety issues out of access and returning
-+@c pointers into the globally shared environment array, just like
-+@c calling gettext brings about a whole lot of AS and AC safety issues.
-+@c The getopt API involves returning values in the non-thread-specific
-+@c optarg variable, which adds another thread-safety issue.  Given
-+@c print_errors, it may output errors to stderr, which may
-+@c self-deadlock, leak locks, or encounter (in a signal handler) or
-+@c leave (in case of cancellation) stderr in an inconsistent state.
-+@c Various implicit, indirect uses of malloc, in uses of memstream and
-+@c asprintf for error-printing, bring about the usual malloc issues.
-+@c (The explicit use of malloc in a conditional situation in
-+@c _getopt_initialize is never exercised in glibc.)
-+@c
-+@c _getopt_internal
-+@c  _getopt_internal_r
-+@c   gettext
-+@c   _getopt_initialize
-+@c    getenv
-+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
-+@c   open_memstream
-+@c   lockfile, unlockfile, __fxprintf -> stderr
-+@c   asprintf
- The @code{getopt} function gets the next option argument from the
- argument list specified by the @var{argv} and @var{argc} arguments.
- Normally these values come directly from the arguments received by
-@@ -225,6 +250,8 @@ was seen.
- @comment getopt.h
- @comment GNU
- @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
-+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
-+@c Same issues as getopt.
- Decode options from the vector @var{argv} (whose length is @var{argc}).
- The argument @var{shortopts} describes the short options to accept, just as
- it does in @code{getopt}.  The argument @var{longopts} describes the long
-@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
- @comment getopt.h
- @comment GNU
- @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
-+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
-+@c Same issues as getopt.
- 
- The @code{getopt_long_only} function is equivalent to the
- @code{getopt_long} function but it allows to specify the user of the
-diff --git a/manual/intro.texi b/manual/intro.texi
-index 2630a77..e47832c 100644
---- a/manual/intro.texi
-+++ b/manual/intro.texi
-@@ -262,6 +262,28 @@ if the effective thread-local locale is not the global locale object
- @code{setlocale} should not be called while these functions are active.
- 
- 
-+@item @code{envromt}
-+@cindex envromt
-+
-+Functions marked with @code{envromt} access the environment with
-+@code{getenv} or similar, requiring the environment to be effectively
-+read-only for MT-Safe operation.
-+
-+Environment-modifying functions do not protect in any way against
-+concurrent modifications or access, so calling @code{envromt}-marked
-+functions concurrently with @code{setenv}, @code{putenv},
-+@code{unsetenv} or direct modifications of the global environment data
-+structures is ill-advised; external concurrency control must be
-+introduced by callers of these environment-modifying and
-+@code{envromt}-marked functions.
-+
-+Functions that modify the environment are also marked with
-+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
-+all environment-modifying functions are MT-Unsafe, functions that only
-+access the environment are marked as MT-Safe when no other safety issue
-+applies.
-+
-+
- @item @code{uunguard}
- @cindex uunguard
- 
-@@ -291,6 +313,42 @@ AS-Safe behavior, callers must ensure that the objects passed in are not
- modified concurrently by other threads or signal handlers.
- 
- 
-+@item @code{tempchwd}
-+@cindex tempchwd
-+
-+Functions marked with @code{tempchwd} may temporarily change the current
-+working directory during their execution, which may cause relative
-+pathnames to be resolved in unexpected ways in other threads or within
-+asynchronous signal or cancellation handlers.
-+
-+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
-+but when this behavior is optional (e.g., @code{nftw} with
-+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
-+a good alternative to using full pathnames or file descriptor-relative
-+(e.g. @code{openat}) system calls.
-+
-+
-+@item @code{tempterm}
-+@cindex tempterm
-+
-+Functions marked with @code{tempterm} may temporarily change the
-+terminal settings.
-+
-+This would not be enough of a reason to mark so-marked functions as
-+MT-Unsafe, but the recommended mode to modify terminal settings is to
-+call @code{tcgetattr}, modify some flags, and then call
-+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
-+they leave a window in which changes made by other threads are lost.
-+
-+It is thus advisable for applications using the terminal to avoid
-+concurrent interactions with it, more so if they expect different
-+terminal modes.
-+
-+If this mark appears as an AC-Safety note, it means the function may
-+also fail to restore the original terminal mode in case of asynchronous
-+cancellation.
-+
-+
- @end itemize
- 
- 
-@@ -305,11 +363,37 @@ as follows:
- 
- Functions annotated with @code{staticbuf} use internal static buffers or
- variables in ways that may cause concurrent calls to interfere
--destructively.
-+destructively.  
- 
- These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
- offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
- 
-+In many of these cases, the static buffer is only used to hold a return
-+value; in a few of these, such as @code{tmpnam}, the use of the internal
-+buffer can be avoided by passing the buffer as an argument, which makes
-+the call MT-Safe and AS-Safe.
-+
-+
-+@item @code{asi18n}
-+@cindex asi18n
-+
-+Functions marked with @code{asi18n} use internationalization functions
-+(@code{gettext}), which brings in a number of dependencies and issues
-+yet to be documented.
-+
-+
-+@item @code{shlimb}
-+@cindex shlimb
-+
-+Functions marked with @code{shlimb} use the dynamic loader to bring in
-+additional code modules.  This involves opening files, mapping them into
-+memory, allocating additional memory, resolving symbols, applying
-+relocations and more, all of this while holding the dynamic loader
-+lock.  
-+
-+The non-recursive lock itself is enough for the function to be AS- and
-+AC-Unsafe, but many other issues may arise.
-+
- 
- @item @code{fdleak}
- @cindex fdleak
-@@ -390,9 +474,8 @@ For the reasons above, functions that leak locks are all AC-Unsafe.
- Functions marked with @code{selfdeadlock} take a non-recursive lock to
- ensure MT-Safety while modifying data structures guarded by the lock.
- 
--If such a function is interrupted by a signal while holding the lock,
--and the signal handler calls any function that takes the same
--non-recursive lock, the result is a deadlock.
-+If such a function is called by a signal handler that interrupted
-+another such function that took the lock, the result is a deadlock.
- 
- Blocking asynchronous signal delivery while calling such functions is
- the only safe way to avoid a deadlock if any signal handler might need
-@@ -406,10 +489,9 @@ Functions marked with @code{asynconsist} take a recursive lock to ensure
- MT-Safety while accessing or modifying data structures guarded by the
- lock.
- 
--If such a function is interrupted by a signal while holding the lock,
--and the signal handler calls any function that takes the same
--non-recursive lock, the latter function may observe a partially updated,
--inconsistent data structure, and misbehave.
-+If such a function is called by a signal handler that interrupted
-+another such function that took the lock, both may misbehave for
-+observing inconsistent (partially updated or cached) data structures.
- 
- Blocking asynchronous signal delivery while calling such functions is
- the only safe way to avoid the misbehavior that may ensue if any signal
-@@ -444,6 +526,21 @@ Disabling asynchronous cancelation while calling such functions is the
- only safe way to avoid the misbehavior that may ensure if the thread is
- canceled while the function is running.
- 
-+@c A special case, probably not worth documenting separately, involves
-+@c reallocing, or even freeing pointers.  Any case involving free could
-+@c be easily turned into an ac-safe memleak by resetting the pointer
-+@c before releasing it; I don't think we have any case that calls for
-+@c this sort of fixing.  Fixing the realloc cases would require a new
-+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
-+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
-+@c before releasing the old memory.  The ac-unsafe realloc could be
-+@c implemented in terms of an internal interface with this semantics
-+@c (say __acsafe_realloc), but since realloc can be overridden, the
-+@c function we call to implement realloc should not be this internal
-+@c interface, but another internal interface that calls __acsafe_realloc
-+@c if realloc was not overridden, and calls the overridden realloc with
-+@c async cancel disabled.  --lxoliva
-+
- 
- @item @code{simfpu}
- @cindex simfpu
 diff --git a/manual/job.texi b/manual/job.texi
 index 4efeed3..779ea96 100644
 --- a/manual/job.texi
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index e415a47..7f2c050 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,5 +1,5 @@
-Bottom: f865586a6c7ce831d9285c15a3df95a5b593b24b
-Top:    6ecb4948f5afac7b2e943164b461bf059c000127
+Bottom: c59759fbdfb422ada848ebdd3845677059986449
+Top:    a8bc26b023f2d43016f043a1972e12edc1f31f8d
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index d6b66ee..0fa4208 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,5 +1,5 @@
-Bottom: 6ecb4948f5afac7b2e943164b461bf059c000127
-Top:    6c9a45167e9f148c725e5d962b1cd083292f0adf
+Bottom: a8bc26b023f2d43016f043a1972e12edc1f31f8d
+Top:    6ef173fc60a9c842433354081fa0216e4430c1b8
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4546f1ef42848ecd1b89ad15aa4c920e8aed77c2

commit 4546f1ef42848ecd1b89ad15aa4c920e8aed77c2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/???.texi: Document thread safety properties.

diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the
diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,
diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym
diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3
diff --git a/manual/locale.texi b/manual/locale.texi
index 323268d..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
-@safety{@mtunsafe{uunguard}}
-@c This function is MT-Safe, but uses of the global locale object are
-@c unguarded in functions that ought to be MT-Safe, so we're ruling out
-@c the use of this function once threads are started.
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.
diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with
diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 
diff --git a/manual/stdio.texi b/manual/stdio.texi
index 7809dd4..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 @c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
@@ -267,7 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
 @c After fclose, it is undefined behavior to use the stream it points
 @c to.  Therefore, one must only call fclose when the stream is
 @c otherwise unused.  Concurrent uses started before will complete
@@ -2662,6 +2662,42 @@ pointer @var{ap}.
 @c case of cancellation.  This doesn't make it unsafe, but cancelling it
 @c may leak memory.  The unguarded use of __printf_function_table is
 @c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
 @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
 @c bringing with it additional potential for async trouble with
 @c list_all_lock.
@@ -5076,7 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
-@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -5192,7 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.
diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield
diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c48dff451b9a543c5f827092417468a0d6672c59

commit c48dff451b9a543c5f827092417468a0d6672c59
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:36 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0082110725464cff983520a32eac4c49ff25339e

commit 0082110725464cff983520a32eac4c49ff25339e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d1d06a086358b876405130714e2c5cf0d7740ab8

commit d1d06a086358b876405130714e2c5cf0d7740ab8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..2244025 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).  
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e3578b80d486c85ecfce6a21f09e9051d868468b

commit e3578b80d486c85ecfce6a21f09e9051d868468b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..323268d 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard}}
+@c This function is MT-Safe, but uses of the global locale object are
+@c unguarded in functions that ought to be MT-Safe, so we're ruling out
+@c the use of this function once threads are started.
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b035d6eeb7b48636043919617d515c88522ba6c3

commit b035d6eeb7b48636043919617d515c88522ba6c3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ce7a82428b383c27385283464762599a0000cba2

commit ce7a82428b383c27385283464762599a0000cba2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..7809dd4 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,12 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2669,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2677,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2685,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2693,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2701,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2709,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2785,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3026,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3278,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3342,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3959,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +3974,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +3989,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +3997,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4005,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4019,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4046,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4055,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4064,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4072,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4080,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4088,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4138,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4148,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4162,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4173,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4201,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4212,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4326,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4339,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4363,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4379,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4399,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4423,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4472,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4594,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4609,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4622,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4639,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4751,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4764,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4781,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4803,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4828,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4906,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4920,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4932,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4947,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4961,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +4972,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5020,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5076,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5192,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5374,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5515,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7f89734934ba539d84fdf02163f64ae84f795ac9

commit 7f89734934ba539d84fdf02163f64ae84f795ac9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:11 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=727a9c49e98194570a2c85e47c355bcc55398cd9

commit 727a9c49e98194570a2c85e47c355bcc55398cd9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e600904c5eab885a1a7c8aef6bb2f570bd201275

commit e600904c5eab885a1a7c8aef6bb2f570bd201275
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=95b0911edf2eb244430d9533ec0a8a3f7058581c

commit 95b0911edf2eb244430d9533ec0a8a3f7058581c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:16 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=296ae41496afc524f6f75648a3298a5419b46990

commit 296ae41496afc524f6f75648a3298a5419b46990
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5a1a8a43ebaa9cc6a6dc182bd931fbca63e7d866

commit 5a1a8a43ebaa9cc6a6dc182bd931fbca63e7d866
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.  
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8b86b0ead9b1494ad7b0aa283a423813ed5e8bc7

commit 8b86b0ead9b1494ad7b0aa283a423813ed5e8bc7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=62694b21850cd676e82306bc82418b952b9d3d31

commit 62694b21850cd676e82306bc82418b952b9d3d31
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8ff199e32650a502ca50da4736e82ed813e08fa4

commit 8ff199e32650a502ca50da4736e82ed813e08fa4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
index fc061d0..e167033 100644
--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
@@ -21,6 +21,11 @@
 #include "soft-fp.h"
 #include "soft-supp.h"
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 /* Global to store sticky exceptions.  */
 int __sim_exceptions __attribute__ ((nocommon));
 libc_hidden_data_def (__sim_exceptions);
diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
index b9638bb..64a3d2a 100644
--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
@@ -26,6 +26,11 @@ typedef union
 } fenv_union_t;
 
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;
diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
index c2a190e..508d869 100644
--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
@@ -54,6 +54,11 @@
 #define FP_ROUNDMODE          __sim_round_mode
 #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8f0d964f583cad6e1513d3ee7521ebca819e5751

commit 8f0d964f583cad6e1513d3ee7521ebca819e5751
Merge: cef7673 b4d906a 351fb37
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:31 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cef76738899cce255453eb45aba66aed9204d228

commit cef76738899cce255453eb45aba66aed9204d228
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:31 2013 -0300

    refresh

diff --git a/meta b/meta
index 0ed9f4f..00e3714 100644
--- a/meta
+++ b/meta
@@ -1,9 +1,8 @@
 Version: 1
-Previous: 76dc6db481a93b17fc264340a48aa76e2afe8f75
-Head: cc2ab132a3cc951371827c846aa4dfa264ba321f
+Previous: b4d906acf0574484a2eee239e7c46c7e060297be
+Head: 351fb371fa127df8fa5e27b38a330e4258b35180
 Applied:
-  manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
-  refresh-temp: cc2ab132a3cc951371827c846aa4dfa264ba321f
+  manual-document-mt-safety.patch: 351fb371fa127df8fa5e27b38a330e4258b35180
 Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index 6bdec13..e164c49 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,5 +1,5 @@
 Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
-Top:    f865586a6c7ce831d9285c15a3df95a5b593b24b
+Top:    c59759fbdfb422ada848ebdd3845677059986449
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:39 -0300
 
@@ -15,10 +15,10 @@ for  ChangeLog
 ---
 
 diff --git a/manual/intro.texi b/manual/intro.texi
-index deaf089..2630a77 100644
+index deaf089..e47832c 100644
 --- a/manual/intro.texi
 +++ b/manual/intro.texi
-@@ -172,6 +172,314 @@ pattern matching facilities (@pxref{Pattern Matching}).
+@@ -172,6 +172,411 @@ pattern matching facilities (@pxref{Pattern Matching}).
  @comment <wordexp.h> (not yet implemented)
  @comment confstr
  
@@ -112,6 +112,28 @@ index deaf089..2630a77 100644
 +@code{setlocale} should not be called while these functions are active.
 +
 +
++@item @code{envromt}
++@cindex envromt
++
++Functions marked with @code{envromt} access the environment with
++@code{getenv} or similar, requiring the environment to be effectively
++read-only for MT-Safe operation.
++
++Environment-modifying functions do not protect in any way against
++concurrent modifications or access, so calling @code{envromt}-marked
++functions concurrently with @code{setenv}, @code{putenv},
++@code{unsetenv} or direct modifications of the global environment data
++structures is ill-advised; external concurrency control must be
++introduced by callers of these environment-modifying and
++@code{envromt}-marked functions.
++
++Functions that modify the environment are also marked with
++@code{envromt}, but they are not MT-Safe for the reasons above.  Since
++all environment-modifying functions are MT-Unsafe, functions that only
++access the environment are marked as MT-Safe when no other safety issue
++applies.
++
++
 +@item @code{uunguard}
 +@cindex uunguard
 +
@@ -141,6 +163,42 @@ index deaf089..2630a77 100644
 +modified concurrently by other threads or signal handlers.
 +
 +
++@item @code{tempchwd}
++@cindex tempchwd
++
++Functions marked with @code{tempchwd} may temporarily change the current
++working directory during their execution, which may cause relative
++pathnames to be resolved in unexpected ways in other threads or within
++asynchronous signal or cancellation handlers.
++
++This is not enough of a reason to mark so-marked functions as MT-Unsafe,
++but when this behavior is optional (e.g., @code{nftw} with
++@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
++a good alternative to using full pathnames or file descriptor-relative
++(e.g. @code{openat}) system calls.
++
++
++@item @code{tempterm}
++@cindex tempterm
++
++Functions marked with @code{tempterm} may temporarily change the
++terminal settings.
++
++This would not be enough of a reason to mark so-marked functions as
++MT-Unsafe, but the recommended mode to modify terminal settings is to
++call @code{tcgetattr}, modify some flags, and then call
++@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
++they leave a window in which changes made by other threads are lost.
++
++It is thus advisable for applications using the terminal to avoid
++concurrent interactions with it, more so if they expect different
++terminal modes.
++
++If this mark appears as an AC-Safety note, it means the function may
++also fail to restore the original terminal mode in case of asynchronous
++cancellation.
++
++
 +@end itemize
 +
 +
@@ -155,11 +213,37 @@ index deaf089..2630a77 100644
 +
 +Functions annotated with @code{staticbuf} use internal static buffers or
 +variables in ways that may cause concurrent calls to interfere
-+destructively.
++destructively.  
 +
 +These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
 +offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
 +
++In many of these cases, the static buffer is only used to hold a return
++value; in a few of these, such as @code{tmpnam}, the use of the internal
++buffer can be avoided by passing the buffer as an argument, which makes
++the call MT-Safe and AS-Safe.
++
++
++@item @code{asi18n}
++@cindex asi18n
++
++Functions marked with @code{asi18n} use internationalization functions
++(@code{gettext}), which brings in a number of dependencies and issues
++yet to be documented.
++
++
++@item @code{shlimb}
++@cindex shlimb
++
++Functions marked with @code{shlimb} use the dynamic loader to bring in
++additional code modules.  This involves opening files, mapping them into
++memory, allocating additional memory, resolving symbols, applying
++relocations and more, all of this while holding the dynamic loader
++lock.  
++
++The non-recursive lock itself is enough for the function to be AS- and
++AC-Unsafe, but many other issues may arise.
++
 +
 +@item @code{fdleak}
 +@cindex fdleak
@@ -240,9 +324,8 @@ index deaf089..2630a77 100644
 +Functions marked with @code{selfdeadlock} take a non-recursive lock to
 +ensure MT-Safety while modifying data structures guarded by the lock.
 +
-+If such a function is interrupted by a signal while holding the lock,
-+and the signal handler calls any function that takes the same
-+non-recursive lock, the result is a deadlock.
++If such a function is called by a signal handler that interrupted
++another such function that took the lock, the result is a deadlock.
 +
 +Blocking asynchronous signal delivery while calling such functions is
 +the only safe way to avoid a deadlock if any signal handler might need
@@ -256,10 +339,9 @@ index deaf089..2630a77 100644
 +MT-Safety while accessing or modifying data structures guarded by the
 +lock.
 +
-+If such a function is interrupted by a signal while holding the lock,
-+and the signal handler calls any function that takes the same
-+non-recursive lock, the latter function may observe a partially updated,
-+inconsistent data structure, and misbehave.
++If such a function is called by a signal handler that interrupted
++another such function that took the lock, both may misbehave for
++observing inconsistent (partially updated or cached) data structures.
 +
 +Blocking asynchronous signal delivery while calling such functions is
 +the only safe way to avoid the misbehavior that may ensue if any signal
@@ -294,6 +376,21 @@ index deaf089..2630a77 100644
 +only safe way to avoid the misbehavior that may ensure if the thread is
 +canceled while the function is running.
 +
++@c A special case, probably not worth documenting separately, involves
++@c reallocing, or even freeing pointers.  Any case involving free could
++@c be easily turned into an ac-safe memleak by resetting the pointer
++@c before releasing it; I don't think we have any case that calls for
++@c this sort of fixing.  Fixing the realloc cases would require a new
++@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
++@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
++@c before releasing the old memory.  The ac-unsafe realloc could be
++@c implemented in terms of an internal interface with this semantics
++@c (say __acsafe_realloc), but since realloc can be overridden, the
++@c function we call to implement realloc should not be this internal
++@c interface, but another internal interface that calls __acsafe_realloc
++@c if realloc was not overridden, and calls the overridden realloc with
++@c async cancel disabled.  --lxoliva
++
 +
 +@item @code{simfpu}
 +@cindex simfpu
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 0a83e12..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,172 +0,0 @@
-Bottom: f865586a6c7ce831d9285c15a3df95a5b593b24b
-Top:    c59759fbdfb422ada848ebdd3845677059986449
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:07:31 -0300
-
-Refresh of manual-document-mt-safety.patch
-
----
-
-diff --git a/manual/intro.texi b/manual/intro.texi
-index 2630a77..e47832c 100644
---- a/manual/intro.texi
-+++ b/manual/intro.texi
-@@ -262,6 +262,28 @@ if the effective thread-local locale is not the global locale object
- @code{setlocale} should not be called while these functions are active.
- 
- 
-+@item @code{envromt}
-+@cindex envromt
-+
-+Functions marked with @code{envromt} access the environment with
-+@code{getenv} or similar, requiring the environment to be effectively
-+read-only for MT-Safe operation.
-+
-+Environment-modifying functions do not protect in any way against
-+concurrent modifications or access, so calling @code{envromt}-marked
-+functions concurrently with @code{setenv}, @code{putenv},
-+@code{unsetenv} or direct modifications of the global environment data
-+structures is ill-advised; external concurrency control must be
-+introduced by callers of these environment-modifying and
-+@code{envromt}-marked functions.
-+
-+Functions that modify the environment are also marked with
-+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
-+all environment-modifying functions are MT-Unsafe, functions that only
-+access the environment are marked as MT-Safe when no other safety issue
-+applies.
-+
-+
- @item @code{uunguard}
- @cindex uunguard
- 
-@@ -291,6 +313,42 @@ AS-Safe behavior, callers must ensure that the objects passed in are not
- modified concurrently by other threads or signal handlers.
- 
- 
-+@item @code{tempchwd}
-+@cindex tempchwd
-+
-+Functions marked with @code{tempchwd} may temporarily change the current
-+working directory during their execution, which may cause relative
-+pathnames to be resolved in unexpected ways in other threads or within
-+asynchronous signal or cancellation handlers.
-+
-+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
-+but when this behavior is optional (e.g., @code{nftw} with
-+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
-+a good alternative to using full pathnames or file descriptor-relative
-+(e.g. @code{openat}) system calls.
-+
-+
-+@item @code{tempterm}
-+@cindex tempterm
-+
-+Functions marked with @code{tempterm} may temporarily change the
-+terminal settings.
-+
-+This would not be enough of a reason to mark so-marked functions as
-+MT-Unsafe, but the recommended mode to modify terminal settings is to
-+call @code{tcgetattr}, modify some flags, and then call
-+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
-+they leave a window in which changes made by other threads are lost.
-+
-+It is thus advisable for applications using the terminal to avoid
-+concurrent interactions with it, more so if they expect different
-+terminal modes.
-+
-+If this mark appears as an AC-Safety note, it means the function may
-+also fail to restore the original terminal mode in case of asynchronous
-+cancellation.
-+
-+
- @end itemize
- 
- 
-@@ -305,11 +363,37 @@ as follows:
- 
- Functions annotated with @code{staticbuf} use internal static buffers or
- variables in ways that may cause concurrent calls to interfere
--destructively.
-+destructively.  
- 
- These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
- offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
- 
-+In many of these cases, the static buffer is only used to hold a return
-+value; in a few of these, such as @code{tmpnam}, the use of the internal
-+buffer can be avoided by passing the buffer as an argument, which makes
-+the call MT-Safe and AS-Safe.
-+
-+
-+@item @code{asi18n}
-+@cindex asi18n
-+
-+Functions marked with @code{asi18n} use internationalization functions
-+(@code{gettext}), which brings in a number of dependencies and issues
-+yet to be documented.
-+
-+
-+@item @code{shlimb}
-+@cindex shlimb
-+
-+Functions marked with @code{shlimb} use the dynamic loader to bring in
-+additional code modules.  This involves opening files, mapping them into
-+memory, allocating additional memory, resolving symbols, applying
-+relocations and more, all of this while holding the dynamic loader
-+lock.  
-+
-+The non-recursive lock itself is enough for the function to be AS- and
-+AC-Unsafe, but many other issues may arise.
-+
- 
- @item @code{fdleak}
- @cindex fdleak
-@@ -390,9 +474,8 @@ For the reasons above, functions that leak locks are all AC-Unsafe.
- Functions marked with @code{selfdeadlock} take a non-recursive lock to
- ensure MT-Safety while modifying data structures guarded by the lock.
- 
--If such a function is interrupted by a signal while holding the lock,
--and the signal handler calls any function that takes the same
--non-recursive lock, the result is a deadlock.
-+If such a function is called by a signal handler that interrupted
-+another such function that took the lock, the result is a deadlock.
- 
- Blocking asynchronous signal delivery while calling such functions is
- the only safe way to avoid a deadlock if any signal handler might need
-@@ -406,10 +489,9 @@ Functions marked with @code{asynconsist} take a recursive lock to ensure
- MT-Safety while accessing or modifying data structures guarded by the
- lock.
- 
--If such a function is interrupted by a signal while holding the lock,
--and the signal handler calls any function that takes the same
--non-recursive lock, the latter function may observe a partially updated,
--inconsistent data structure, and misbehave.
-+If such a function is called by a signal handler that interrupted
-+another such function that took the lock, both may misbehave for
-+observing inconsistent (partially updated or cached) data structures.
- 
- Blocking asynchronous signal delivery while calling such functions is
- the only safe way to avoid the misbehavior that may ensue if any signal
-@@ -444,6 +526,21 @@ Disabling asynchronous cancelation while calling such functions is the
- only safe way to avoid the misbehavior that may ensure if the thread is
- canceled while the function is running.
- 
-+@c A special case, probably not worth documenting separately, involves
-+@c reallocing, or even freeing pointers.  Any case involving free could
-+@c be easily turned into an ac-safe memleak by resetting the pointer
-+@c before releasing it; I don't think we have any case that calls for
-+@c this sort of fixing.  Fixing the realloc cases would require a new
-+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
-+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
-+@c before releasing the old memory.  The ac-unsafe realloc could be
-+@c implemented in terms of an internal interface with this semantics
-+@c (say __acsafe_realloc), but since realloc can be overridden, the
-+@c function we call to implement realloc should not be this internal
-+@c interface, but another internal interface that calls __acsafe_realloc
-+@c if realloc was not overridden, and calls the overridden realloc with
-+@c async cancel disabled.  --lxoliva
-+
- 
- @item @code{simfpu}
- @cindex simfpu

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b4d906acf0574484a2eee239e7c46c7e060297be

commit b4d906acf0574484a2eee239e7c46c7e060297be
Merge: e5b53da cc2ab13 76dc6db
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:31 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e5b53dab5736d53f6414d24c50ecb9329a8f7391

commit e5b53dab5736d53f6414d24c50ecb9329a8f7391
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:31 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 6a14b79..0ed9f4f 100644
--- a/meta
+++ b/meta
@@ -1,8 +1,9 @@
 Version: 1
-Previous: d9c9f06fc82cd16d6b734513c4f0d533b3fdf2cf
-Head: f159288e81a5a769e1274527d307f82bd918d8e5
+Previous: 76dc6db481a93b17fc264340a48aa76e2afe8f75
+Head: cc2ab132a3cc951371827c846aa4dfa264ba321f
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
+  refresh-temp: cc2ab132a3cc951371827c846aa4dfa264ba321f
 Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..0a83e12
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,172 @@
+Bottom: f865586a6c7ce831d9285c15a3df95a5b593b24b
+Top:    c59759fbdfb422ada848ebdd3845677059986449
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:07:31 -0300
+
+Refresh of manual-document-mt-safety.patch
+
+---
+
+diff --git a/manual/intro.texi b/manual/intro.texi
+index 2630a77..e47832c 100644
+--- a/manual/intro.texi
++++ b/manual/intro.texi
+@@ -262,6 +262,28 @@ if the effective thread-local locale is not the global locale object
+ @code{setlocale} should not be called while these functions are active.
+ 
+ 
++@item @code{envromt}
++@cindex envromt
++
++Functions marked with @code{envromt} access the environment with
++@code{getenv} or similar, requiring the environment to be effectively
++read-only for MT-Safe operation.
++
++Environment-modifying functions do not protect in any way against
++concurrent modifications or access, so calling @code{envromt}-marked
++functions concurrently with @code{setenv}, @code{putenv},
++@code{unsetenv} or direct modifications of the global environment data
++structures is ill-advised; external concurrency control must be
++introduced by callers of these environment-modifying and
++@code{envromt}-marked functions.
++
++Functions that modify the environment are also marked with
++@code{envromt}, but they are not MT-Safe for the reasons above.  Since
++all environment-modifying functions are MT-Unsafe, functions that only
++access the environment are marked as MT-Safe when no other safety issue
++applies.
++
++
+ @item @code{uunguard}
+ @cindex uunguard
+ 
+@@ -291,6 +313,42 @@ AS-Safe behavior, callers must ensure that the objects passed in are not
+ modified concurrently by other threads or signal handlers.
+ 
+ 
++@item @code{tempchwd}
++@cindex tempchwd
++
++Functions marked with @code{tempchwd} may temporarily change the current
++working directory during their execution, which may cause relative
++pathnames to be resolved in unexpected ways in other threads or within
++asynchronous signal or cancellation handlers.
++
++This is not enough of a reason to mark so-marked functions as MT-Unsafe,
++but when this behavior is optional (e.g., @code{nftw} with
++@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
++a good alternative to using full pathnames or file descriptor-relative
++(e.g. @code{openat}) system calls.
++
++
++@item @code{tempterm}
++@cindex tempterm
++
++Functions marked with @code{tempterm} may temporarily change the
++terminal settings.
++
++This would not be enough of a reason to mark so-marked functions as
++MT-Unsafe, but the recommended mode to modify terminal settings is to
++call @code{tcgetattr}, modify some flags, and then call
++@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
++they leave a window in which changes made by other threads are lost.
++
++It is thus advisable for applications using the terminal to avoid
++concurrent interactions with it, more so if they expect different
++terminal modes.
++
++If this mark appears as an AC-Safety note, it means the function may
++also fail to restore the original terminal mode in case of asynchronous
++cancellation.
++
++
+ @end itemize
+ 
+ 
+@@ -305,11 +363,37 @@ as follows:
+ 
+ Functions annotated with @code{staticbuf} use internal static buffers or
+ variables in ways that may cause concurrent calls to interfere
+-destructively.
++destructively.  
+ 
+ These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+ offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+ 
++In many of these cases, the static buffer is only used to hold a return
++value; in a few of these, such as @code{tmpnam}, the use of the internal
++buffer can be avoided by passing the buffer as an argument, which makes
++the call MT-Safe and AS-Safe.
++
++
++@item @code{asi18n}
++@cindex asi18n
++
++Functions marked with @code{asi18n} use internationalization functions
++(@code{gettext}), which brings in a number of dependencies and issues
++yet to be documented.
++
++
++@item @code{shlimb}
++@cindex shlimb
++
++Functions marked with @code{shlimb} use the dynamic loader to bring in
++additional code modules.  This involves opening files, mapping them into
++memory, allocating additional memory, resolving symbols, applying
++relocations and more, all of this while holding the dynamic loader
++lock.  
++
++The non-recursive lock itself is enough for the function to be AS- and
++AC-Unsafe, but many other issues may arise.
++
+ 
+ @item @code{fdleak}
+ @cindex fdleak
+@@ -390,9 +474,8 @@ For the reasons above, functions that leak locks are all AC-Unsafe.
+ Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ ensure MT-Safety while modifying data structures guarded by the lock.
+ 
+-If such a function is interrupted by a signal while holding the lock,
+-and the signal handler calls any function that takes the same
+-non-recursive lock, the result is a deadlock.
++If such a function is called by a signal handler that interrupted
++another such function that took the lock, the result is a deadlock.
+ 
+ Blocking asynchronous signal delivery while calling such functions is
+ the only safe way to avoid a deadlock if any signal handler might need
+@@ -406,10 +489,9 @@ Functions marked with @code{asynconsist} take a recursive lock to ensure
+ MT-Safety while accessing or modifying data structures guarded by the
+ lock.
+ 
+-If such a function is interrupted by a signal while holding the lock,
+-and the signal handler calls any function that takes the same
+-non-recursive lock, the latter function may observe a partially updated,
+-inconsistent data structure, and misbehave.
++If such a function is called by a signal handler that interrupted
++another such function that took the lock, both may misbehave for
++observing inconsistent (partially updated or cached) data structures.
+ 
+ Blocking asynchronous signal delivery while calling such functions is
+ the only safe way to avoid the misbehavior that may ensue if any signal
+@@ -444,6 +526,21 @@ Disabling asynchronous cancelation while calling such functions is the
+ only safe way to avoid the misbehavior that may ensure if the thread is
+ canceled while the function is running.
+ 
++@c A special case, probably not worth documenting separately, involves
++@c reallocing, or even freeing pointers.  Any case involving free could
++@c be easily turned into an ac-safe memleak by resetting the pointer
++@c before releasing it; I don't think we have any case that calls for
++@c this sort of fixing.  Fixing the realloc cases would require a new
++@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
++@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
++@c before releasing the old memory.  The ac-unsafe realloc could be
++@c implemented in terms of an internal interface with this semantics
++@c (say __acsafe_realloc), but since realloc can be overridden, the
++@c function we call to implement realloc should not be this internal
++@c interface, but another internal interface that calls __acsafe_realloc
++@c if realloc was not overridden, and calls the overridden realloc with
++@c async cancel disabled.  --lxoliva
++
+ 
+ @item @code{simfpu}
+ @cindex simfpu

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cc2ab132a3cc951371827c846aa4dfa264ba321f

commit cc2ab132a3cc951371827c846aa4dfa264ba321f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:31 2013 -0300

    Refresh of manual-document-mt-safety.patch

diff --git a/manual/intro.texi b/manual/intro.texi
index 2630a77..e47832c 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -262,6 +262,28 @@ if the effective thread-local locale is not the global locale object
 @code{setlocale} should not be called while these functions are active.
 
 
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
 @item @code{uunguard}
 @cindex uunguard
 
@@ -291,6 +313,42 @@ AS-Safe behavior, callers must ensure that the objects passed in are not
 modified concurrently by other threads or signal handlers.
 
 
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
 @end itemize
 
 
@@ -305,11 +363,37 @@ as follows:
 
 Functions annotated with @code{staticbuf} use internal static buffers or
 variables in ways that may cause concurrent calls to interfere
-destructively.
+destructively.  
 
 These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
 offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
 
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.  
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
 
 @item @code{fdleak}
 @cindex fdleak
@@ -390,9 +474,8 @@ For the reasons above, functions that leak locks are all AC-Unsafe.
 Functions marked with @code{selfdeadlock} take a non-recursive lock to
 ensure MT-Safety while modifying data structures guarded by the lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the result is a deadlock.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid a deadlock if any signal handler might need
@@ -406,10 +489,9 @@ Functions marked with @code{asynconsist} take a recursive lock to ensure
 MT-Safety while accessing or modifying data structures guarded by the
 lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the latter function may observe a partially updated,
-inconsistent data structure, and misbehave.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid the misbehavior that may ensue if any signal
@@ -444,6 +526,21 @@ Disabling asynchronous cancelation while calling such functions is the
 only safe way to avoid the misbehavior that may ensure if the thread is
 canceled while the function is running.
 
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
 
 @item @code{simfpu}
 @cindex simfpu

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=76dc6db481a93b17fc264340a48aa76e2afe8f75

commit 76dc6db481a93b17fc264340a48aa76e2afe8f75
Merge: c92e698 d9c9f06
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:18 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c92e6984cabde57c3fca8e3eb572880c127081e0

commit c92e6984cabde57c3fca8e3eb572880c127081e0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:18 2013 -0300

    push

diff --git a/meta b/meta
index 8ae9a1b..6a14b79 100644
--- a/meta
+++ b/meta
@@ -1,9 +1,9 @@
 Version: 1
-Previous: b1b6abe1cfb871cadb695ab02b83c4dd64019e63
-Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
+Previous: d9c9f06fc82cd16d6b734513c4f0d533b3fdf2cf
+Head: f159288e81a5a769e1274527d307f82bd918d8e5
 Applied:
-Unapplied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
+Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
   manual-document-mt-safety-argp.patch: 3a08620f4907bff742b31a6f67651e4a3b21c179

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d9c9f06fc82cd16d6b734513c4f0d533b3fdf2cf

commit d9c9f06fc82cd16d6b734513c4f0d533b3fdf2cf
Merge: 23e8267 b1b6abe ca0a6bc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:16 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=23e8267e7b64076cbdd271376d0e446282ec7848

commit 23e8267e7b64076cbdd271376d0e446282ec7848
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:07:16 2013 -0300

    pop

diff --git a/meta b/meta
index d7dffb5..8ae9a1b 100644
--- a/meta
+++ b/meta
@@ -1,7 +1,8 @@
 Version: 1
-Previous: b42c03a8ec5f571a7dcc0d8a373e9a46ef1b2844
-Head: f79b9fc6a64c2160e49b66d3ffd8beff25d0317b
+Previous: b1b6abe1cfb871cadb695ab02b83c4dd64019e63
+Head: ca0a6bc4c5c53aa6c4a735c36336408a06b8cd89
 Applied:
+Unapplied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
@@ -15,7 +16,6 @@ Applied:
   manual-document-mt-safety-errno.patch: 6c7e1ffb65b6f160f2a901a4d7fb52654cee4521
   manual-document-mt-safety-filesys.patch: 9ae778a025f0908ba789a9e0cf5065ab0d53628a
   manual-document-mt-safety-getopt.patch: f79b9fc6a64c2160e49b66d3ffd8beff25d0317b
-Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b1b6abe1cfb871cadb695ab02b83c4dd64019e63

commit b1b6abe1cfb871cadb695ab02b83c4dd64019e63
Merge: ef9c434 b42c03a f79b9fc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:37 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ef9c434101aae96d5d6e90f58ceb5d101c33d4c9

commit ef9c434101aae96d5d6e90f58ceb5d101c33d4c9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:37 2013 -0300

    import

diff --git a/meta b/meta
index b6649b9..d7dffb5 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: ceb20a507e59205b8f5c6c2fa25d16b76a422c4e
-Head: 9ae778a025f0908ba789a9e0cf5065ab0d53628a
+Previous: b42c03a8ec5f571a7dcc0d8a373e9a46ef1b2844
+Head: f79b9fc6a64c2160e49b66d3ffd8beff25d0317b
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -14,6 +14,7 @@ Applied:
   manual-document-mt-safety-debug.patch: c7ee4c2aa47d7a32e68a01dd01e4087485df8ccf
   manual-document-mt-safety-errno.patch: 6c7e1ffb65b6f160f2a901a4d7fb52654cee4521
   manual-document-mt-safety-filesys.patch: 9ae778a025f0908ba789a9e0cf5065ab0d53628a
+  manual-document-mt-safety-getopt.patch: f79b9fc6a64c2160e49b66d3ffd8beff25d0317b
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/manual-document-mt-safety-getopt.patch b/patches/manual-document-mt-safety-getopt.patch
new file mode 100644
index 0000000..d1ce979
--- /dev/null
+++ b/patches/manual-document-mt-safety-getopt.patch
@@ -0,0 +1,68 @@
+Bottom: c99f368a71f19ba8429c3534e1b674f3a20de73e
+Top:    eaf7ea9f21df96f6e1ba6d92a8b44a2546e980f4
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:06:36 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/getopt.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/getopt.texi b/manual/getopt.texi
+index f0b7283..3c1f4de 100644
+--- a/manual/getopt.texi
++++ b/manual/getopt.texi
+@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
+ @comment unistd.h
+ @comment POSIX.2
+ @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
++@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
++@c It may swap argv elements but argv is not guarded, and the
++@c modifications may be partial in case of cancellation.  Calling getenv
++@c also brings about thread-safety issues out of access and returning
++@c pointers into the globally shared environment array, just like
++@c calling gettext brings about a whole lot of AS and AC safety issues.
++@c The getopt API involves returning values in the non-thread-specific
++@c optarg variable, which adds another thread-safety issue.  Given
++@c print_errors, it may output errors to stderr, which may
++@c self-deadlock, leak locks, or encounter (in a signal handler) or
++@c leave (in case of cancellation) stderr in an inconsistent state.
++@c Various implicit, indirect uses of malloc, in uses of memstream and
++@c asprintf for error-printing, bring about the usual malloc issues.
++@c (The explicit use of malloc in a conditional situation in
++@c _getopt_initialize is never exercised in glibc.)
++@c
++@c _getopt_internal
++@c  _getopt_internal_r
++@c   gettext
++@c   _getopt_initialize
++@c    getenv
++@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
++@c   open_memstream
++@c   lockfile, unlockfile, __fxprintf -> stderr
++@c   asprintf
+ The @code{getopt} function gets the next option argument from the
+ argument list specified by the @var{argv} and @var{argc} arguments.
+ Normally these values come directly from the arguments received by
+@@ -225,6 +250,8 @@ was seen.
+ @comment getopt.h
+ @comment GNU
+ @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
++@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
++@c Same issues as getopt.
+ Decode options from the vector @var{argv} (whose length is @var{argc}).
+ The argument @var{shortopts} describes the short options to accept, just as
+ it does in @code{getopt}.  The argument @var{longopts} describes the long
+@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
+ @comment getopt.h
+ @comment GNU
+ @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
++@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
++@c Same issues as getopt.
+ 
+ The @code{getopt_long_only} function is equivalent to the
+ @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f79b9fc6a64c2160e49b66d3ffd8beff25d0317b

commit f79b9fc6a64c2160e49b66d3ffd8beff25d0317b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:36 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/getopt.texi: Document thread safety properties.

diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b42c03a8ec5f571a7dcc0d8a373e9a46ef1b2844

commit b42c03a8ec5f571a7dcc0d8a373e9a46ef1b2844
Merge: 719c006 ceb20a5 9ae778a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=719c00675114f4846a42b628cbabc290a7cb1edc

commit 719c00675114f4846a42b628cbabc290a7cb1edc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    import

diff --git a/meta b/meta
index 7992004..b6649b9 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 99ddb1a0214122ee3ce2d4a4292978e1e00442a4
-Head: 6c7e1ffb65b6f160f2a901a4d7fb52654cee4521
+Previous: ceb20a507e59205b8f5c6c2fa25d16b76a422c4e
+Head: 9ae778a025f0908ba789a9e0cf5065ab0d53628a
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -13,6 +13,7 @@ Applied:
   manual-document-mt-safety-ctype.patch: d3739e943bb05d4edb6ca163f33c2cda30ada1f6
   manual-document-mt-safety-debug.patch: c7ee4c2aa47d7a32e68a01dd01e4087485df8ccf
   manual-document-mt-safety-errno.patch: 6c7e1ffb65b6f160f2a901a4d7fb52654cee4521
+  manual-document-mt-safety-filesys.patch: 9ae778a025f0908ba789a9e0cf5065ab0d53628a
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/manual-document-mt-safety-filesys.patch b/patches/manual-document-mt-safety-filesys.patch
new file mode 100644
index 0000000..5f9b89d
--- /dev/null
+++ b/patches/manual-document-mt-safety-filesys.patch
@@ -0,0 +1,789 @@
+Bottom: e0c86b7119156c45d45fc7b8853dfb0c950448cb
+Top:    c99f368a71f19ba8429c3534e1b674f3a20de73e
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:06:03 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/filesys.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/filesys.texi b/manual/filesys.texi
+index 1df9cf2..2244025 100644
+--- a/manual/filesys.texi
++++ b/manual/filesys.texi
+@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c If buffer is NULL, this function calls malloc and realloc, and, in
++@c case of error, free.  Linux offers a getcwd syscall that we use on
++@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
++@c fallback, and on other systems, the generic implementation opens each
++@c parent directory with opendir, which allocates memory for the
++@c directory stream with malloc.  If a fstatat64 syscall is not
++@c available, very deep directory trees may also have to malloc to build
++@c longer sequences of ../../../... than those supported by a global
++@c const read-only string.
++
++@c linux/__getcwd
++@c  posix/__getcwd
++@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
++@c   lstat64 -> see its own entry
++@c   fstatat64
++@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
++@c   openat64_not_cancel_3, close_not_cancel_no_status
++@c   __fdopendir, __opendir, __readdir, rewinddir
+ The @code{getcwd} function returns an absolute file name representing
+ the current working directory, storing it in the character array
+ @var{buffer} that you provide.  The @var{size} argument is how you tell
+@@ -116,6 +135,9 @@ software.
+ @comment unistd.h
+ @comment BSD
+ @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
++@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
++@c Besides the getcwd safety issues, it calls strerror_r on error, which
++@c brings in all of the i18n issues.
+ This is similar to @code{getcwd}, but has no way to specify the size of
+ the buffer.  @Theglibc{} provides @code{getwd} only
+ for backwards compatibility with BSD.
+@@ -130,6 +152,9 @@ this function is deprecated.
+ @comment unistd.h
+ @comment GNU
+ @deftypefun {char *} get_current_dir_name (void)
++@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Besides getcwd, which this function calls as a fallback, it calls
++@c getenv, with the usual thread-safety issues that brings about.
+ @vindex PWD
+ This @code{get_current_dir_name} function is basically equivalent to
+ @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
+@@ -145,6 +170,7 @@ This function is a GNU extension.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int chdir (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is used to set the process's working directory to
+ @var{filename}.
+ 
+@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
+ @comment unistd.h
+ @comment XPG
+ @deftypefun int fchdir (int @var{filedes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is used to set the process's working directory to
+ directory associated with the file descriptor @var{filedes}.
+ 
+@@ -294,12 +321,14 @@ values and @code{st_mode} values:
+ @comment dirent.h
+ @comment BSD
+ @deftypefun int IFTODT (mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This returns the @code{d_type} value corresponding to @var{mode}.
+ @end deftypefun
+ 
+ @comment dirent.h
+ @comment BSD
+ @deftypefun mode_t DTTOIF (int @var{dtype})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This returns the @code{st_mode} value corresponding to @var{dtype}.
+ @end deftypefun
+ @end table
+@@ -342,6 +371,9 @@ the following functions.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun {DIR *} opendir (const char *@var{dirname})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Besides the safe syscall, we have to allocate the DIR object with
++@c __alloc_dir, that calls malloc.
+ The @code{opendir} function opens and returns a directory stream for
+ reading the directory whose file name is @var{dirname}.  The stream has
+ type @code{DIR *}.
+@@ -381,6 +413,8 @@ alternative interface can be used.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun {DIR *} fdopendir (int @var{fd})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c The DIR object is allocated with __alloc_dir, that calls malloc.
+ The @code{fdopendir} function works just like @code{opendir} but
+ instead of taking a file name and opening a file descriptor for the
+ directory the caller is required to provide a file descriptor.  This
+@@ -425,6 +459,7 @@ access.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int dirfd (DIR *@var{dirstream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The function @code{dirfd} returns the file descriptor associated with
+ the directory stream @var{dirstream}.  This descriptor can be used until
+ the directory is closed with @code{closedir}.  If the directory stream
+@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
++@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
++@c This function holds dirstream's non-recursive lock, which brings
++@c about the usual issues with locks and async signals and cancellation,
++@c but the lock taking is not enough to make the returned value safe to
++@c use, since it points to a stream's internal buffer that can be
++@c overwritten by subsequent calls or even released by closedir.
+ This function reads the next entry from the directory.  It normally
+ returns a pointer to a structure containing information about the file.
+ This structure is statically allocated and can be rewritten by a
+@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ This function is the reentrant version of @code{readdir}.  Like
+ @code{readdir} it returns the next entry from the directory.  But to
+ prevent conflicts between simultaneously running threads the result is
+@@ -516,6 +558,7 @@ of the last two functions.
+ @comment dirent.h
+ @comment LFS
+ @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
++@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{readdir64} function is just like the @code{readdir} function
+ except that it returns a pointer to a record of type @code{struct
+ dirent64}.  Some of the members of this data type (notably @code{d_ino})
+@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
+ @comment dirent.h
+ @comment LFS
+ @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{readdir64_r} function is equivalent to the @code{readdir_r}
+ function except that it takes parameters of base type @code{struct
+ dirent64} instead of @code{struct dirent} in the second and third
+@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun int closedir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
++@c No synchronization in the posix implementation, only in the hurd
++@c one.  This is regarded as safe because it is undefined behavior if
++@c other threads could still be using the dir stream while it's closed.
+ This function closes the directory stream @var{dirstream}.  It returns
+ @code{0} on success and @code{-1} on failure.
+ 
+@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun void rewinddir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{rewinddir} function is used to reinitialize the directory
+ stream @var{dirstream}, so that if you call @code{readdir} it
+ returns information about the first entry in the directory again.  This
+@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
+ @comment dirent.h
+ @comment BSD
+ @deftypefun {long int} telldir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
++@c The implementation is safe on most platforms, but on BSD it uses
++@c cookies, buckets and records, and the global array of pointers to
++@c dynamically allocated records is guarded by a non-recursive lock.
+ The @code{telldir} function returns the file position of the directory
+ stream @var{dirstream}.  You can use this value with @code{seekdir} to
+ restore the directory stream to that position.
+@@ -597,6 +650,10 @@ restore the directory stream to that position.
+ @comment dirent.h
+ @comment BSD
+ @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
++@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
++@c The implementation is safe on most platforms, but on BSD it uses
++@c cookies, buckets and records, and the global array of pointers to
++@c dynamically allocated records is guarded by a non-recursive lock.
+ The @code{seekdir} function sets the file position of the directory
+ stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
+ result of a previous call to @code{telldir} on this particular stream;
+@@ -616,6 +673,19 @@ the result.
+ @comment dirent.h
+ @comment BSD/SVID
+ @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
++@c The scandir function calls __opendirat, __readdir, and __closedir to
++@c go over the named dir; malloc and realloc to allocate the namelist
++@c and copies of each selected dirent, besides the selector, if given,
++@c and qsort and the cmp functions if the latter is given.  In spite of
++@c the cleanup handler that releases memory and the file descriptor in
++@c case of synchronous cancellation, an asynchronous cancellation may
++@c still leak memory and a file descriptor.  Although readdir is unsafe
++@c in general, the use of an internal dir stream for sequential scanning
++@c of the directory with copying of dirents before subsequent calls
++@c makes the use safe, and the fact that the dir stream is private to
++@c each scandir call does away with the lock issues in readdir and
++@c closedir.
+ 
+ The @code{scandir} function scans the contents of the directory selected
+ by @var{dir}.  The result in *@var{namelist} is an array of pointers to
+@@ -646,6 +716,8 @@ are very helpful for this purpose.
+ @comment dirent.h
+ @comment BSD/SVID
+ @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c Calls strcoll.
+ The @code{alphasort} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+ are not string pointers but instead they are of type
+@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c Calls strverscmp.
+ The @code{versionsort} function is like @code{alphasort} except that it
+ uses the @code{strverscmp} function internally.
+ @end deftypefun
+@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
++@c See scandir.
+ The @code{scandir64} function works like the @code{scandir} function
+ except that the directory entries it returns are described by elements
+ of type @w{@code{struct dirent64}}.  The function pointed to by
+@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c See alphasort.
+ The @code{alphasort64} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+ are not string pointers but instead they are of type
+@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c See versionsort.
+ The @code{versionsort64} function is like @code{alphasort64}, excepted that it
+ uses the @code{strverscmp} function internally.
+ @end deftypefun
+@@ -880,6 +960,8 @@ file was passed).
+ @comment ftw.h
+ @comment SVID
+ @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
++@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
++@c see nftw for safety details
+ The @code{ftw} function calls the callback function given in the
+ parameter @var{func} for every item which is found in the directory
+ specified by @var{filename} and all directories below.  The function
+@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
+ @comment ftw.h
+ @comment Unix98
+ @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
++@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+ This function is similar to @code{ftw} but it can work on filesystems
+ with large files.  File information is reported using a variable of type
+ @code{struct stat64} which is passed by reference to the callback
+@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
+ @comment ftw.h
+ @comment XPG4.2
+ @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
++@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
++@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
++@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
++@c  if FTW_CHDIR, also calls fchdir
++@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
++@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
++@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
++@c  find_object (tsearch) and add_object (tfind).  
++@c Since each invocation of *ftw uses its own private search tree, none
++@c  of the search tree concurrency issues apply.
+ The @code{nftw} function works like the @code{ftw} functions.  They call
+ the callback function @var{func} for all items found in the directory
+ @var{filename} and below.  At most @var{descriptors} file descriptors
+@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
+ @comment ftw.h
+ @comment Unix98
+ @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
++@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+ This function is similar to @code{nftw} but it can work on filesystems
+ with large files.  File information is reported using a variable of type
+ @code{struct stat64} which is passed by reference to the callback
+@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{link} function makes a new link to the existing file named by
+ @var{oldname}, under the new name @var{newname}.
+ 
+@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{symlink} function makes a symbolic link to @var{oldname} named
+ @var{newname}.
+ 
+@@ -1190,6 +1287,7 @@ exceeded.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{readlink} function gets the value of the symbolic link
+ @var{filename}.  The file name that the link points to is copied into
+ @var{buffer}.  This file name string is @emph{not} null-terminated;
+@@ -1249,6 +1347,8 @@ names can refer to the same inode.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun {char *} canonicalize_file_name (const char *@var{name})
++@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Calls realpath.
+ 
+ The @code{canonicalize_file_name} function returns the absolute name of
+ the file named by @var{name} which contains no @code{.}, @code{..}
+@@ -1290,6 +1390,8 @@ where the result is placed in.
+ @comment stdlib.h
+ @comment XPG
+ @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
++@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
+ 
+ A call to @code{realpath} where the @var{resolved} parameter is
+ @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
+@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int unlink (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{unlink} function deletes the file name @var{filename}.  If
+ this is a file's sole name, the file itself is also deleted.  (Actually,
+ if any process has the file open when this happens, deletion is
+@@ -1371,6 +1474,7 @@ file system and can't be modified.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int rmdir (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @cindex directories, deleting
+ @cindex deleting a directory
+ The @code{rmdir} function deletes a directory.  The directory must be
+@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int remove (const char *@var{filename})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Calls unlink and rmdir.
+ This is the @w{ISO C} function to remove a file.  It works like
+ @code{unlink} for files and like @code{rmdir} for directories.
+ @code{remove} is declared in @file{stdio.h}.
+@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a rename syscall, there's an emulation with link
++@c and unlink, but it's racy, even more so if newname exists and is
++@c unlinked first.
+ The @code{rename} function renames the file @var{oldname} to
+ @var{newname}.  The file formerly accessible under the name
+ @var{oldname} is afterwards accessible as @var{newname} instead.  (If
+@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{mkdir} function creates a new, empty directory with name
+ @var{filename}.
+ 
+@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{stat} function returns information about the attributes of the
+ file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
+ 
+@@ -1875,6 +1987,7 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{stat} but it is also able to work on
+ files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ this the result is stored in a variable of type @code{struct stat64} to
+@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fstat} function is like @code{stat}, except that it takes an
+ open file descriptor as an argument instead of a file name.
+ @xref{Low-Level I/O}.
+@@ -1909,6 +2023,7 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{fstat} but is able to work on large
+ files on 32-bit platforms.  For large files the file descriptor
+ @var{filedes} should be obtained by @code{open64} or @code{creat64}.
+@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
+ replaces the interface for small files on 32-bit machines.
+ @end deftypefun
+ 
++@c fstatat will call alloca and snprintf if the syscall is not
++@c available.
++@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct system call through lxstat, sometimes with an xstat conv call
++@c afterwards.
+ The @code{lstat} function is like @code{stat}, except that it does not
+ follow symbolic links.  If @var{filename} is the name of a symbolic
+ link, @code{lstat} returns information about the link itself; otherwise
+@@ -1936,6 +2058,9 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct system call through lxstat64, sometimes with an xstat conv
++@c call afterwards.
+ This function is similar to @code{lstat} but it is also able to work on
+ files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ this the result is stored in a variable of type @code{struct stat64} to
+@@ -1974,12 +2099,14 @@ that file:
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISDIR (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a directory.
+ @end deftypefn
+ 
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISCHR (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a character special file (a
+ device like a terminal).
+ @end deftypefn
+@@ -1987,6 +2114,7 @@ device like a terminal).
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISBLK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a block special file (a device
+ like a disk).
+ @end deftypefn
+@@ -1994,12 +2122,14 @@ like a disk).
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISREG (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a regular file.
+ @end deftypefn
+ 
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISFIFO (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a FIFO special file, or a
+ pipe.  @xref{Pipes and FIFOs}.
+ @end deftypefn
+@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefn Macro int S_ISLNK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a symbolic link.
+ @xref{Symbolic Links}.
+ @end deftypefn
+@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefn Macro int S_ISSOCK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a socket.  @xref{Sockets}.
+ @end deftypefn
+ 
+@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX message queues as distinct objects and the
+ file is a message queue object, this macro returns a non-zero value.
+ In all other cases the result is zero.
+@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX semaphores as distinct objects and the
+ file is a semaphore object, this macro returns a non-zero value.
+ In all other cases the result is zero.
+@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX shared memory objects as distinct objects
+ and the file is an shared memory object, this macro returns a non-zero
+ value.  In all other cases the result is zero.
+@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{chown} function changes the owner of the file @var{filename} to
+ @var{owner}, and its group owner to @var{group}.
+ 
+@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is like @code{chown}, except that it changes the owner of the open
+ file with descriptor @var{filedes}.
+ 
+@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun mode_t umask (mode_t @var{mask})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{umask} function sets the file creation mask of the current
+ process to @var{mask}, and returns the previous value of the file
+ creation mask.
+@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefun mode_t getumask (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Return the current value of the file creation mask for the current
+ process.  This function is a GNU extension and is only available on
+ @gnuhurdsystems{}.
+@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{chmod} function sets the access permission bits for the file
+ named by @var{filename} to @var{mode}.
+ 
+@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is like @code{chmod}, except that it changes the permissions of the
+ currently open file given by @var{filedes}.
+ 
+@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int access (const char *@var{filename}, int @var{how})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{access} function checks to see whether the file named by
+ @var{filename} can be accessed in the way specified by the @var{how}
+ argument.  The @var{how} argument either can be the bitwise OR of the
+@@ -2732,6 +2874,9 @@ This is the modification time for the file.
+ @comment utime.h
+ @comment POSIX.1
+ @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a utime syscall, it non-atomically converts times
++@c to a struct timeval and calls utimes.
+ This function is used to modify the file times associated with the file
+ named @var{filename}.
+ 
+@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a utimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall, or to
++@c struct utimbuf and calls utime.
+ This function sets the file access and modification times of the file
+ @var{filename}.  The new file access time is specified by
+ @code{@var{tvp}[0]}, and the new modification time by
+@@ -2797,6 +2946,9 @@ function.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Since there's no lutimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall.
+ This function is like @code{utimes}, except that it does not follow
+ symbolic links.  If @var{filename} is the name of a symbolic link,
+ @code{lutimes} sets the file access and modification times of the
+@@ -2813,6 +2965,10 @@ function.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Since there's no futimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall, falling back
++@c to utimes on a /proc/self/fd symlink.
+ This function is like @code{utimes}, except that it takes an open file
+ descriptor as an argument instead of a file name.  @xref{Low-Level
+ I/O}.  This function comes from FreeBSD, and is not available on all
+@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
+ @comment unistd.h
+ @comment X/Open
+ @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a truncate syscall, we use open and ftruncate.
+ 
+ The @code{truncate} function changes the size of @var{filename} to
+ @var{length}.  If @var{length} is shorter than the previous length, data
+@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a syscall, try truncate if length fits.
+ This function is similar to the @code{truncate} function.  The
+ difference is that the @var{length} argument is 64 bits wide even on 32
+ bits machines, which allows the handling of files with sizes up to
+@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
+ @comment unistd.h
+ @comment POSIX
+ @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ This is like @code{truncate}, but it works on a file descriptor @var{fd}
+ for an opened file instead of a file name to identify the object.  The
+@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a syscall, try ftruncate if length fits.
+ This function is similar to the @code{ftruncate} function.  The
+ difference is that the @var{length} argument is 64 bits wide even on 32
+ bits machines which allows the handling of files with sizes up to
+@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Instead of issuing the syscall directly, we go through xmknod.
++@c Although the internal xmknod takes a dev_t*, that could lead to
++@c xguargs races, it's passed a pointer to mknod's dev.
+ The @code{mknod} function makes a special file with name @var{filename}.
+ The @var{mode} specifies the mode of the file, and may include the various
+ special file bits, such as @code{S_IFCHR} (for a character special file)
+@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {FILE *} tmpfile (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
++@c The unsafety issues are those of fdopen, plus fdleak because of the
++@c open.
++@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
++@c  libc_secure_genenv only if try_tmpdir
++@c  xstat64, strlen, strcmp, sprintf
++@c __gen_tempname (internal tmpl, __GT_FILE) ok
++@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
++@c  HP_TIMING_NOW if available ok
++@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
++@c  static value is used and modified without synchronization ok
++@c   but the use is as a source of non-cryptographic randomness
++@c   with retries in case of collision, so it should be safe
++@c unlink, fdopen
+ This function creates a temporary binary file for update mode, as if by
+ calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
+ automatically when it is closed or when the program terminates.  (On
+@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun {FILE *} tmpfile64 (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+ This function is similar to @code{tmpfile}, but the stream it returns a
+ pointer to was opened using @code{tmpfile64}.  Therefore this stream can
+ be used for files larger then @math{2^31} bytes on 32-bit machines.
+@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {char *} tmpnam (char *@var{result})
++@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
++@c The passed-in buffer should not be modified concurrently with the
++@c call.
++@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
++@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+ This function constructs and returns a valid file name that does not
+ refer to any existing file.  If the @var{result} argument is a null
+ pointer, the return value is a pointer to an internal static string,
+@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {char *} tmpnam_r (char *@var{result})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+ This function is nearly identical to the @code{tmpnam} function, except
+ that if @var{result} is a null pointer it returns a null pointer.
+ 
+@@ -3192,6 +3380,13 @@ never less than @code{25}.
+ @comment stdio.h
+ @comment SVID
+ @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
++@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
++@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
++@c even with a non-NULL dir, which makes this thread-unsafe.
++@c
++@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
++@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
++@c strdup
+ This function generates a unique temporary file name.  If @var{prefix}
+ is not a null pointer, up to five characters of this string are used as
+ a prefix for the file name.  The return value is a string newly
+@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
+ @comment stdlib.h
+ @comment Unix
+ @deftypefun {char *} mktemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
++@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
+ The @code{mktemp} function generates a unique file name by modifying
+ @var{template} as described above.  If successful, it returns
+ @var{template} as modified.  If @code{mktemp} cannot find a unique file
+@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun int mkstemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
++@c __gen_tempname (caller tmpl, __GT_FILE) ok
+ The @code{mkstemp} function generates a unique file name just as
+ @code{mktemp} does, but it also opens the file for you with @code{open}
+ (@pxref{Opening and Closing Files}).  If successful, it modifies
+@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun {char *} mkdtemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
++@c __gen_tempname (caller tmpl, __GT_DIR) ok
+ The @code{mkdtemp} function creates a directory with a unique name.  If
+ it succeeds, it overwrites @var{template} with the name of the
+ directory, and returns @var{template}.  As with @code{mktemp} and
+@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
+ @xref{Creating Directories}.
+ 
+ The @code{mkdtemp} function comes from OpenBSD.
++
++@c FIXME these are undocumented:
++@c faccessat
++@c fchmodat
++@c fchownat
++@c futimesat
++@c fstatat
++@c linkat
++@c mkdirat
++@c mkfifoat
++@c name_to_handle_at
++@c openat
++@c open_by_handle_at
++@c readlinkat
++@c renameat
++@c scandirat
++@c symlinkat
++@c unlinkat
++@c utimensat
++@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9ae778a025f0908ba789a9e0cf5065ab0d53628a

commit 9ae778a025f0908ba789a9e0cf5065ab0d53628a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:06:03 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/filesys.texi: Document thread safety properties.

diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..2244025 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).  
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ceb20a507e59205b8f5c6c2fa25d16b76a422c4e

commit ceb20a507e59205b8f5c6c2fa25d16b76a422c4e
Merge: 062c00c 99ddb1a 6c7e1ff
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=062c00c3e50ab93e97a8ed26286888206052e6ed

commit 062c00c3e50ab93e97a8ed26286888206052e6ed
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    import

diff --git a/meta b/meta
index 0437233..7992004 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 4d8b595aa808366628a3d60761726294a8eb41f7
-Head: c7ee4c2aa47d7a32e68a01dd01e4087485df8ccf
+Previous: 99ddb1a0214122ee3ce2d4a4292978e1e00442a4
+Head: 6c7e1ffb65b6f160f2a901a4d7fb52654cee4521
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -12,6 +12,7 @@ Applied:
   manual-document-mt-safety-crypt.patch: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
   manual-document-mt-safety-ctype.patch: d3739e943bb05d4edb6ca163f33c2cda30ada1f6
   manual-document-mt-safety-debug.patch: c7ee4c2aa47d7a32e68a01dd01e4087485df8ccf
+  manual-document-mt-safety-errno.patch: 6c7e1ffb65b6f160f2a901a4d7fb52654cee4521
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/manual-document-mt-safety-errno.patch b/patches/manual-document-mt-safety-errno.patch
new file mode 100644
index 0000000..75e4099
--- /dev/null
+++ b/patches/manual-document-mt-safety-errno.patch
@@ -0,0 +1,152 @@
+Bottom: d9693aa296c06ebe3fdaa8817d28a446b893fe25
+Top:    e0c86b7119156c45d45fc7b8853dfb0c950448cb
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:05:34 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/errno.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/errno.texi b/manual/errno.texi
+index 6c9fa86..eb3f412 100644
+--- a/manual/errno.texi
++++ b/manual/errno.texi
+@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
+ @comment string.h
+ @comment ISO
+ @deftypefun {char *} strerror (int @var{errnum})
++@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
++@c Calls strerror_r with a static buffer allocated with malloc on the
++@c first use.
+ The @code{strerror} function maps the error code (@pxref{Checking for
+ Errors}) specified by the @var{errnum} argument to a descriptive error
+ message string.  The return value is a pointer to this string.
+@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
+ @comment string.h
+ @comment GNU
+ @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
++@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
+ The @code{strerror_r} function works like @code{strerror} but instead of
+ returning the error message in a statically allocated buffer shared by
+ all threads in the process, it returns a private copy for the
+@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
+ @comment stdio.h
+ @comment ISO
+ @deftypefun void perror (const char *@var{message})
++@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
++@c Besides strerror_r's and some of fprintf's issues, if stderr is not
++@c oriented yet, create a new stream with a dup of stderr's fd and write
++@c to that instead of stderr, to avoid orienting it.
+ This function prints an error message to the stream @code{stderr};
+ see @ref{Standard Streams}.  The orientation of @code{stderr} is not
+ changed.
+@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
+ @comment error.h
+ @comment GNU
+ @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
++@c Cancellation is disabled throught the execution.  It flushes stdout
++@c and then holds a lock on stderr while printing the program name and
++@c then running error_tail.  The non-wide case just runs vfprintf; the
++@c wide case converts the message to an alloca/malloc-allocated buffer
++@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
++@c print_errno_message calls strerror_r and fxprintf.
+ The @code{error} function can be used to report general problems during
+ program execution.  The @var{format} argument is a format string just
+ like those given to the @code{printf} family of functions.  The
+@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
+ @comment error.h
+ @comment GNU
+ @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
++@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
++@c The error_one_per_line variable is accessed (without any form of
++@c synchronization, but since it's an int used once, it should be safe
++@c enough) and, if this mode is enabled, static variables used to hold
++@c the last printed file name and line number are accessed and modified
++@c without synchronization; the update is not atomic and it occurs
++@c before disabling cancellation, so it can be interrupted after only
++@c one of the two variables is modified.  After that, it's very much
++@c like error.
+ 
+ The @code{error_at_line} function is very similar to the @code{error}
+ function.  The only difference are the additional parameters @var{fname}
+@@ -1582,6 +1606,8 @@ are included only for compatibility.
+ @comment err.h
+ @comment BSD
+ @deftypefun void warn (const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
++@c Just calls vwarn with the va_list.
+ The @code{warn} function is roughly equivalent to a call like
+ @smallexample
+   error (0, errno, format, @r{the parameters})
+@@ -1594,6 +1620,11 @@ are not used.
+ @comment err.h
+ @comment BSD
+ @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
++@c While holding stderr's recursive lock, it prints the programname, the
++@c given message, and the error string with fw?printf's %m.  When the
++@c stream is wide, convert_and_print converts the format string to an
++@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
+ The @code{vwarn} function is just like @code{warn} except that the
+ parameters for the handling of the format string @var{format} are passed
+ in as an value of type @code{va_list}.
+@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
+ @comment err.h
+ @comment BSD
+ @deftypefun void warnx (const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
++@c Same as warn, but without the strerror translation issues.
+ The @code{warnx} function is roughly equivalent to a call like
+ @smallexample
+   error (0, 0, format, @r{the parameters})
+@@ -1615,6 +1648,8 @@ string is printed.
+ @comment err.h
+ @comment BSD
+ @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
++@c Same as vwarn, but without the strerror translation issues.
+ The @code{vwarnx} function is just like @code{warnx} except that the
+ parameters for the handling of the format string @var{format} are passed
+ in as an value of type @code{va_list}.
+@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
+ @comment err.h
+ @comment BSD
+ @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
++@c Same as warn followed by exit.
+ The @code{err} function is roughly equivalent to a call like
+ @smallexample
+   error (status, errno, format, @r{the parameters})
+@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
+ @comment err.h
+ @comment BSD
+ @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
++@c Same as vwarn followed by exit.
+ The @code{verr} function is just like @code{err} except that the
+ parameters for the handling of the format string @var{format} are passed
+ in as an value of type @code{va_list}.
+@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
+ @comment err.h
+ @comment BSD
+ @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
++@c Same as warnx followed by exit.
+ The @code{errx} function is roughly equivalent to a call like
+ @smallexample
+   error (status, 0, format, @r{the parameters})
+@@ -1657,6 +1698,8 @@ string is printed.
+ @comment err.h
+ @comment BSD
+ @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
++@c Same as vwarnx followed by exit.
+ The @code{verrx} function is just like @code{errx} except that the
+ parameters for the handling of the format string @var{format} are passed
+ in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6c7e1ffb65b6f160f2a901a4d7fb52654cee4521

commit 6c7e1ffb65b6f160f2a901a4d7fb52654cee4521
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:34 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/errno.texi: Document thread safety properties.

diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=99ddb1a0214122ee3ce2d4a4292978e1e00442a4

commit 99ddb1a0214122ee3ce2d4a4292978e1e00442a4
Merge: 91130e4 c7ee4c2 4d8b595
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:12 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=91130e4b59ea170e3c28c543b5f83380c1998e6b

commit 91130e4b59ea170e3c28c543b5f83380c1998e6b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:12 2013 -0300

    import

diff --git a/meta b/meta
index 35b24f1..0437233 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 4d47d98038a63156be7d3a6588f4892f3f44b0b3
-Head: d3739e943bb05d4edb6ca163f33c2cda30ada1f6
+Previous: 4d8b595aa808366628a3d60761726294a8eb41f7
+Head: c7ee4c2aa47d7a32e68a01dd01e4087485df8ccf
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -11,6 +11,7 @@ Applied:
   manual-document-mt-safety-conf.patch: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
   manual-document-mt-safety-crypt.patch: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
   manual-document-mt-safety-ctype.patch: d3739e943bb05d4edb6ca163f33c2cda30ada1f6
+  manual-document-mt-safety-debug.patch: c7ee4c2aa47d7a32e68a01dd01e4087485df8ccf
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/manual-document-mt-safety-debug.patch b/patches/manual-document-mt-safety-debug.patch
new file mode 100644
index 0000000..c31f434
--- /dev/null
+++ b/patches/manual-document-mt-safety-debug.patch
@@ -0,0 +1,57 @@
+Bottom: ef2aa24039042b2529772d0209797c599eb01fbe
+Top:    d9693aa296c06ebe3fdaa8817d28a446b893fe25
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:05:11 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/debug.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/debug.texi b/manual/debug.texi
+index 1db9c18..ce0c263 100644
+--- a/manual/debug.texi
++++ b/manual/debug.texi
+@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
+ @comment execinfo.h
+ @comment GNU
+ @deftypefun int backtrace (void **@var{buffer}, int @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Pointer chasing within the local stack.
+ The @code{backtrace} function obtains a backtrace for the current
+ thread, as a list of pointers, and places the information into
+ @var{buffer}.  The argument @var{size} should be the number of
+@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
+ @comment execinfo.h
+ @comment GNU
+ @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
++@c Collects info returned by _dl_addr in auto array, allocates memory
++@c for the whole return buffer with malloc then sprintfs into it storing
++@c pointers to the strings into the array entries in the buffer.
++@c _dl_addr takes the recursive dl_load_lock then calls
++@c _dl_find_dso_for_object and determine_info.
++@c _dl_find_dso_for_object calls _dl-addr_inside_object.
++@c All of them are safe as long as the lock is held.
++@c asynconsist?  It doesn't looke like the dynamic loader's data
++@c structures could be in an inconsistent state that would cause
++@c malfunction here.
+ The @code{backtrace_symbols} function translates the information
+ obtained from the @code{backtrace} function into an array of strings.
+ The argument @var{buffer} should be a pointer to an array of addresses
+@@ -88,6 +101,11 @@ cannot be obtained.
+ @comment execinfo.h
+ @comment GNU
+ @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
++@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
++@c Single loop of _dl_addr over addresses, collecting info into an iovec
++@c written out with a writev call per iteration.  Addresses and offsets
++@c are converted to hex in auto buffers, so the only potential issue
++@c here is leaking the dl lock in case of cancellation.
+ The @code{backtrace_symbols_fd} function performs the same translation
+ as the function @code{backtrace_symbols} function.  Instead of returning
+ the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c7ee4c2aa47d7a32e68a01dd01e4087485df8ccf

commit c7ee4c2aa47d7a32e68a01dd01e4087485df8ccf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:05:11 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/debug.texi: Document thread safety properties.

diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4d8b595aa808366628a3d60761726294a8eb41f7

commit 4d8b595aa808366628a3d60761726294a8eb41f7
Merge: ee90b6e d3739e9 4d47d98
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:04:17 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ee90b6e96ffad2c5dabebb2f6bc96e69ba9a2757

commit ee90b6e96ffad2c5dabebb2f6bc96e69ba9a2757
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:04:17 2013 -0300

    float

diff --git a/meta b/meta
index e27c22f..35b24f1 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: d24ed54af95494d6d45a3d2d0b4906c72e9a89d8
-Head: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
+Previous: 4d47d98038a63156be7d3a6588f4892f3f44b0b3
+Head: d3739e943bb05d4edb6ca163f33c2cda30ada1f6
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,10 +10,10 @@ Applied:
   manual-document-mt-safety-charset.patch: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
   manual-document-mt-safety-conf.patch: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
   manual-document-mt-safety-crypt.patch: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
+  manual-document-mt-safety-ctype.patch: d3739e943bb05d4edb6ca163f33c2cda30ada1f6
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
-  manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
   manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Hidden:
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index a9588e2..f682ded 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: 493d959bda4db41836ea91b2b9685b47ab733575
-Top:    a80e3502e79676408b83a0ee8d2c01161f2e1895
+Bottom: 9879c04c4ffa34225360a9359ba3d098a05a208c
+Top:    ef2aa24039042b2529772d0209797c599eb01fbe
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d3739e943bb05d4edb6ca163f33c2cda30ada1f6

commit d3739e943bb05d4edb6ca163f33c2cda30ada1f6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4d47d98038a63156be7d3a6588f4892f3f44b0b3

commit 4d47d98038a63156be7d3a6588f4892f3f44b0b3
Merge: 22819d7 d24ed54
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:04:01 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=22819d712565b64a19a9bb66b1150b60bab262fc

commit 22819d712565b64a19a9bb66b1150b60bab262fc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:04:01 2013 -0300

    rename

diff --git a/meta b/meta
index 7db2e07..e27c22f 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: cbeec520ddf7025ba680c736e39b76887de956c0
+Previous: d24ed54af95494d6d45a3d2d0b4906c72e9a89d8
 Head: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
@@ -9,7 +9,7 @@ Applied:
   manual-document-mt-safety-arith.patch: a6f2df9755a82acf03faacd3844e32ff5336d033
   manual-document-mt-safety-charset.patch: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
   manual-document-mt-safety-conf.patch: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
-  new.patch: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
+  manual-document-mt-safety-crypt.patch: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/new.patch b/patches/manual-document-mt-safety-crypt.patch
similarity index 100%
rename from patches/new.patch
rename to patches/manual-document-mt-safety-crypt.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=77aa308dccc33e4ccba70b5ac186e1d5c2408f17

commit 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/crypt.texi: Document thread safety properties.

diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d24ed54af95494d6d45a3d2d0b4906c72e9a89d8

commit d24ed54af95494d6d45a3d2d0b4906c72e9a89d8
Merge: c68ab57 cbeec52 77aa308
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c68ab570778257693f59e8382d40a4f6c33adbb8

commit c68ab570778257693f59e8382d40a4f6c33adbb8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:47 2013 -0300

    import

diff --git a/meta b/meta
index 60a716f..7db2e07 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 9eaea22809e3d84514c9a24279289cb5b093b745
-Head: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
+Previous: cbeec520ddf7025ba680c736e39b76887de956c0
+Head: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -9,6 +9,7 @@ Applied:
   manual-document-mt-safety-arith.patch: a6f2df9755a82acf03faacd3844e32ff5336d033
   manual-document-mt-safety-charset.patch: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
   manual-document-mt-safety-conf.patch: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
+  new.patch: 77aa308dccc33e4ccba70b5ac186e1d5c2408f17
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/new.patch b/patches/new.patch
new file mode 100644
index 0000000..8311afe
--- /dev/null
+++ b/patches/new.patch
@@ -0,0 +1,114 @@
+Bottom: 01a0439b7c735fb096210cab50592ed7ae588e00
+Top:    9879c04c4ffa34225360a9359ba3d098a05a208c
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:03:47 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/crypt.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/crypt.texi b/manual/crypt.texi
+index ef90590..5c9f6f7 100644
+--- a/manual/crypt.texi
++++ b/manual/crypt.texi
+@@ -92,7 +92,13 @@ in a convenient way.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun {char *} getpass (const char *@var{prompt})
+-
++@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
++@c This function will attempt to create a stream for terminal I/O, but
++@c will fallback to stdio/stderr.  It attempts to change the terminal
++@c mode in a thread-unsafe way, write out the prompt, read the password,
++@c then restore the terminal mode.  It has a cleanup to close the stream
++@c in case of (synchronous) cancellation, but not to restore the
++@c terminal mode.
+ @code{getpass} outputs @var{prompt}, then reads a string in from the
+ terminal without echoing it.  It tries to connect to the real terminal,
+ @file{/dev/tty}, if possible, to encourage users not to put plaintext
+@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
+ @comment crypt.h
+ @comment BSD, SVID
+ @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
++@c Besides the obvious problem of returning a pointer into static
++@c storage, the DES initializer takes an internal lock with the usual
++@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
++@c NSS implementations of may leak file descriptors if canceled.  The
++@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
++@c and NSS relies on dlopening, which brings about another can of worms.
+ 
+ The @code{crypt} function takes a password, @var{key}, as a string, and
+ a @var{salt} character array which is described below, and returns a
+@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
+ @comment crypt.h
+ @comment GNU
+ @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
++@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
++@c Compared with crypt, this function fixes the staticbuf problem, but
++@c nothing else.
+ 
+ The @code{crypt_r} function does the same thing as @code{crypt}, but
+ takes an extra parameter which includes space for its result (among
+@@ -233,6 +249,11 @@ specifies the unused bits.
+ @comment crypt.h
+ @comment BSD, SVID
+ @deftypefun void setkey (const char *@var{key})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
++@c The static buffer stores the key, making it fundamentally
++@c thread-unsafe.  The locking issues are only in the initialization
++@c path; cancelling the initialization will leave the lock held, it
++@c would otherwise repeat the initialization on the next call.
+ 
+ The @code{setkey} function sets an internal data structure to be an
+ expanded form of @var{key}.  @var{key} is specified as an array of 64
+@@ -244,6 +265,8 @@ parity.
+ @comment crypt.h
+ @comment BSD, SVID
+ @deftypefun void encrypt (char *@var{block}, int @var{edflag})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
++@c Same issues as setkey.
+ 
+ The @code{encrypt} function encrypts @var{block} if
+ @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
+@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
+ @comment crypt.h
+ @comment GNU
+ @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
++@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+ @comment crypt.h
+ @comment GNU
+ @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
++@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+ 
+ These are reentrant versions of @code{setkey} and @code{encrypt}.  The
+ only difference is the extra parameter, which stores the expanded
+@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
+ @comment rpc/des_crypt.h
+ @comment SUNRPC
+ @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The function @code{ecb_crypt} encrypts or decrypts one or more blocks
+ using DES.  Each block is encrypted independently.
+@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
+ @comment rpc/des_crypt.h
+ @comment SUNRPC
+ @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The function @code{cbc_crypt} encrypts or decrypts one or more blocks
+ using DES in Cipher Block Chaining mode.
+@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
+ @comment rpc/des_crypt.h
+ @comment SUNRPC
+ @deftypefun void des_setparity (char *@var{key})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The function @code{des_setparity} changes the 64-bit @var{key}, stored
+ packed in 8-bit bytes, to have odd parity by altering the low bits of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cbeec520ddf7025ba680c736e39b76887de956c0

commit cbeec520ddf7025ba680c736e39b76887de956c0
Merge: 68d86c4 9eaea22
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:22 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=68d86c42b3ffa5e25ba65e4e8099563ac23879b3

commit 68d86c42b3ffa5e25ba65e4e8099563ac23879b3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:22 2013 -0300

    rename

diff --git a/meta b/meta
index 76ffde7..60a716f 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 868381d9e68121f8017a7623afcda1bf00b77bf9
+Previous: 9eaea22809e3d84514c9a24279289cb5b093b745
 Head: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
@@ -8,7 +8,7 @@ Applied:
   manual-document-mt-safety-argp.patch: 3a08620f4907bff742b31a6f67651e4a3b21c179
   manual-document-mt-safety-arith.patch: a6f2df9755a82acf03faacd3844e32ff5336d033
   manual-document-mt-safety-charset.patch: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
-  new.patch: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
+  manual-document-mt-safety-conf.patch: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/new.patch b/patches/manual-document-mt-safety-conf.patch
similarity index 100%
rename from patches/new.patch
rename to patches/manual-document-mt-safety-conf.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91

commit 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:16 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/conf.texi: Document thread safety properties.

diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9eaea22809e3d84514c9a24279289cb5b093b745

commit 9eaea22809e3d84514c9a24279289cb5b093b745
Merge: 2c95e61 868381d 517120c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:16 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2c95e61f6162511b6ee0d35a151ec7b00488e82e

commit 2c95e61f6162511b6ee0d35a151ec7b00488e82e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:03:16 2013 -0300

    import

diff --git a/meta b/meta
index ece0732..76ffde7 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 69e769f4742cc3e9523f0e6fdd99b7ad004ccb3d
-Head: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
+Previous: 868381d9e68121f8017a7623afcda1bf00b77bf9
+Head: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -8,6 +8,7 @@ Applied:
   manual-document-mt-safety-argp.patch: 3a08620f4907bff742b31a6f67651e4a3b21c179
   manual-document-mt-safety-arith.patch: a6f2df9755a82acf03faacd3844e32ff5336d033
   manual-document-mt-safety-charset.patch: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
+  new.patch: 517120c0f0268cfc4dc3361ab19e1fc5d0c5ce91
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/new.patch b/patches/new.patch
new file mode 100644
index 0000000..dc5d0aa
--- /dev/null
+++ b/patches/new.patch
@@ -0,0 +1,65 @@
+Bottom: 214fcee1fc2244efd3fa34e70667561366631af6
+Top:    01a0439b7c735fb096210cab50592ed7ae588e00
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:03:16 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/conf.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/conf.texi b/manual/conf.texi
+index 7eb8b36..edbb2fd 100644
+--- a/manual/conf.texi
++++ b/manual/conf.texi
+@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {long int} sysconf (int @var{parameter})
++@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
++@c Some parts of the implementation open /proc and /sys files and dirs
++@c to collect system details, using fd and stream I/O depending on the
++@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
++@c calls tzset_internal, that calls getenv if it's called the first
++@c time; there are free and strdup calls in there too.  The returned max
++@c value may change over time for TZNAME_MAX, depending on selected
++@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
++@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
++@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
++@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
+ This function is used to inquire about runtime system parameters.  The
+ @var{parameter} argument should be one of the @samp{_SC_} symbols listed
+ below.
+@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
++@c When __statfs_link_max finds an ext* filesystem, it may read
++@c /proc/mounts or similar as a mntent stream.
++@c __statfs_chown_restricted may read from
++@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
+ This function is used to inquire about the limits that apply to
+ the file named @var{filename}.
+ 
+@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
++@c Same caveats as pathconf.
+ This is just like @code{pathconf} except that an open file descriptor
+ is used to specify the file for which information is requested, instead
+ of a file name.
+@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
+ @comment unistd.h
+ @comment POSIX.2
+ @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function reads the value of a string-valued system parameter,
+ storing the string into @var{len} bytes of memory space starting at
+ @var{buf}.  The @var{parameter} argument should be one of the

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=868381d9e68121f8017a7623afcda1bf00b77bf9

commit 868381d9e68121f8017a7623afcda1bf00b77bf9
Merge: 9141d8e 69e769f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:49 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9141d8e8372bedc822555bdfc515025d1ef6e4fd

commit 9141d8e8372bedc822555bdfc515025d1ef6e4fd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:48 2013 -0300

    rename

diff --git a/meta b/meta
index b5e50c8..ece0732 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: aff6a80c4f6f02731f47b8a61018af3783eab866
+Previous: 69e769f4742cc3e9523f0e6fdd99b7ad004ccb3d
 Head: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
@@ -7,7 +7,7 @@ Applied:
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
   manual-document-mt-safety-argp.patch: 3a08620f4907bff742b31a6f67651e4a3b21c179
   manual-document-mt-safety-arith.patch: a6f2df9755a82acf03faacd3844e32ff5336d033
-  new.patch: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
+  manual-document-mt-safety-charset.patch: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/new.patch b/patches/manual-document-mt-safety-charset.patch
similarity index 100%
rename from patches/new.patch
rename to patches/manual-document-mt-safety-charset.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3df069f9dba32efa41ab542b1ec3dbee3a8d71ae

commit 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/charset.texi: Document thread safety properties.

diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=69e769f4742cc3e9523f0e6fdd99b7ad004ccb3d

commit 69e769f4742cc3e9523f0e6fdd99b7ad004ccb3d
Merge: dcc9390 aff6a80 3df069f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dcc93906ca71d674ca55d43b24d691f8c3cc5796

commit dcc93906ca71d674ca55d43b24d691f8c3cc5796
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:01:33 2013 -0300

    import

diff --git a/meta b/meta
index 66aeca6..b5e50c8 100644
--- a/meta
+++ b/meta
@@ -1,12 +1,13 @@
 Version: 1
-Previous: 1037ba670ee6fa52c0455717d21e7e75ce3fb9ef
-Head: a6f2df9755a82acf03faacd3844e32ff5336d033
+Previous: aff6a80c4f6f02731f47b8a61018af3783eab866
+Head: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
   manual-document-mt-safety-argp.patch: 3a08620f4907bff742b31a6f67651e4a3b21c179
   manual-document-mt-safety-arith.patch: a6f2df9755a82acf03faacd3844e32ff5336d033
+  new.patch: 3df069f9dba32efa41ab542b1ec3dbee3a8d71ae
 Unapplied:
   manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/new.patch b/patches/new.patch
new file mode 100644
index 0000000..d61f282
--- /dev/null
+++ b/patches/new.patch
@@ -0,0 +1,232 @@
+Bottom: 7d1efa70a6263de6179afe2a9a443ea3375c3c65
+Top:    214fcee1fc2244efd3fa34e70667561366631af6
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:01:33 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/charset.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/charset.texi b/manual/charset.texi
+index e21502e..7e6c416 100644
+--- a/manual/charset.texi
++++ b/manual/charset.texi
+@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int mbsinit (const mbstate_t *@var{ps})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c ps is dereferenced once, unguarded.  Potential harmless data race.
+ The @code{mbsinit} function determines whether the state object pointed
+ to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
+ the object is in the initial state the return value is nonzero.  Otherwise
+@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun wint_t btowc (int @var{c})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c Calls btowc_fct or __fct; reads from locale, and from the
++@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
++@c __wcsmbs_load_conv to initialize the ctype if it's null.
++@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
++@c memory for the fcts structure, initializing it, and then storing it
++@c in the locale object.  The initialization involves dlopening and a
++@c lot more.
+ The @code{btowc} function (``byte to wide character'') converts a valid
+ single byte character @var{c} in the initial shift state into the wide
+ character equivalent using the conversion rules from the currently
+@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int wctob (wint_t @var{c})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wctob} function (``wide character to byte'') takes as the
+ parameter a valid wide character.  If the multibyte representation for
+ this character in the initial state is exactly one byte long, the return
+@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ @cindex stateful
+ The @code{mbrtowc} function (``multibyte restartable to wide
+ character'') converts the next multibyte character in the string pointed
+@@ -728,6 +740,7 @@ function that does part of the work.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mbrlen} function (``multibyte restartable length'') computes
+ the number of at most @var{n} bytes starting at @var{s}, which form the
+ next valid and complete multibyte character.
+@@ -811,6 +824,50 @@ doing the work twice.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c wcrtomb uses a static, non-thread-local unguarded state variable when
++@c PS is NULL.  When a state is passed in, and it's not used
++@c concurrently in other threads, this function behaves safely as long
++@c as gconv modules don't bring MT safety issues of their own.
++@c Attempting to load gconv modules or to build conversion chains in
++@c signal handlers may encounter gconv databases or caches in a
++@c partially-updated state, and asynchronous cancellation may leave them
++@c in such states, besides leaking the lock that guards them.
++@c get_gconv_fcts ok
++@c    wcsmbs_load_conv ok
++@c      norm_add_slashes ok
++@c      wcsmbs_getfct ok
++@c        gconv_find_transform ok
++@c          gconv_read_conf (libc_once)
++@c          gconv_lookup_cache ok
++@c            find_module_idx ok
++@c            find_module ok
++@c              gconv_find_shlib (ok)
++@c              ->init_fct (assumed ok)
++@c            gconv_get_builtin_trans ok
++@c            gconv_release_step ok
++@c          do_lookup_alias ok
++@c          find_derivation ok
++@c            derivation_lookup ok
++@c            increment_counter ok
++@c              gconv_find_shlib ok
++@c              step->init_fct (assumed ok)
++@c            gen_steps ok
++@c              gconv_find_shlib ok
++@c                dlopen (presumed ok)
++@c                dlsym (presumed ok)
++@c              step->init_fct (assumed ok)
++@c              step->end_fct (assumed ok)
++@c              gconv_get_builtin_trans ok
++@c              gconv_release_step ok
++@c            add_derivation ok
++@c      gconv_close_transform ok
++@c        gconv_release_step ok
++@c          step->end_fct (assumed ok)
++@c          gconv_release_shlib ok
++@c            dlclose (presumed ok)
++@c        gconv_release_cache ok
++@c  ->tomb->__fct (assumed ok)
+ The @code{wcrtomb} function (``wide character restartable to
+ multibyte'') converts a single wide character into a multibyte string
+ corresponding to that wide character.
+@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mbsrtowcs} function (``multibyte string restartable to wide
+ character string'') converts an NUL-terminated multibyte character
+ string at @code{*@var{src}} into an equivalent wide character string,
+@@ -1039,6 +1097,7 @@ length and passing this length to the function.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wcsrtombs} function (``wide character string restartable to
+ multibyte string'') converts the NUL-terminated wide character string at
+ @code{*@var{src}} into an equivalent multibyte character string and
+@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
+ @comment wchar.h
+ @comment GNU
+ @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
+ function.  All the parameters are the same except for @var{nmc}, which is
+ new.  The return value is the same as for @code{mbsrtowcs}.
+@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wcsnrtombs} function implements the conversion from wide
+ character strings to multibyte character strings.  It is similar to
+ @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
+@@ -1280,6 +1341,7 @@ conversion functions.}
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mbtowc} (``multibyte to wide character'') function when called
+ with non-null @var{string} converts the first multibyte character
+ beginning at @var{string} to its corresponding wide character code.  It
+@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wctomb} (``wide character to multibyte'') function converts
+ the wide character code @var{wchar} to its corresponding multibyte
+ character sequence, and stores the result in bytes starting at
+@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun int mblen (const char *@var{string}, size_t @var{size})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mblen} function with a non-null @var{string} argument returns
+ the number of bytes that make up the multibyte character beginning at
+ @var{string}, never examining more than @var{size} bytes.  (The idea is
+@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c Odd...  Although this is in the non-reentrant section, the state
++@c object is automatic, not a static buffer.
+ The @code{mbstowcs} (``multibyte string to wide character string'')
+ function converts the null-terminated string of multibyte characters
+ @var{string} to an array of wide character codes, storing not more than
+@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wcstombs} (``wide character string to multibyte string'')
+ function converts the null-terminated wide character array @var{wstring}
+ into a string containing multibyte characters, storing not more than
+@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
+ @comment iconv.h
+ @comment XPG2
+ @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
++@c strip and upstr on both, then gconv_open.  strip and upstr call
++@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
++@c tokenize toset, replace unspecified codesets with the current locale
++@c (posibly two different accesses), and finally it calls
++@c gconv_find_transform and initializes the gconv_t result with all the
++@c steps in the conversion sequence, running each one's initializer,
++@c destructing and releasing them all if anything fails.
++
+ The @code{iconv_open} function has to be used before starting a
+ conversion.  The two parameters this function takes determine the
+ source and destination character set for the conversion, and if the
+@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
+ @comment iconv.h
+ @comment XPG2
+ @deftypefun int iconv_close (iconv_t @var{cd})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
++@c Calls gconv_close to destruct and release each of the conversion
++@c steps, release the gconv_t object, then call gconv_close_transform.
++@c Access to the gconv_t object is not guarded, but calling iconv_close
++@c concurrently with any other use is undefined.
++
+ The @code{iconv_close} function frees all resources associated with the
+ handle @var{cd}, which must have been returned by a successful call to
+ the @code{iconv_open} function.
+@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
+ @comment iconv.h
+ @comment XPG2
+ @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
++@c Without guarding access to the gconv_t object pointed to by cd, call
++@c the conversion function to convert inbuf or flush the internal
++@c conversion state.
+ @cindex stateful
+ The @code{iconv} function converts the text in the input buffer
+ according to the rules associated with the descriptor @var{cd} and

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=aff6a80c4f6f02731f47b8a61018af3783eab866

commit aff6a80c4f6f02731f47b8a61018af3783eab866
Merge: 96dbf41 1037ba6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:24 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=96dbf412285bf011376452689da1c4e476c4b8f4

commit 96dbf412285bf011376452689da1c4e476c4b8f4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:24 2013 -0300

    pop

diff --git a/meta b/meta
index 03244cf..66aeca6 100644
--- a/meta
+++ b/meta
@@ -1,14 +1,14 @@
 Version: 1
-Previous: f02c0e21f0bcde96b0c9fba5082bfab8011f819b
-Head: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
+Previous: 1037ba670ee6fa52c0455717d21e7e75ce3fb9ef
+Head: a6f2df9755a82acf03faacd3844e32ff5336d033
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
   manual-document-mt-safety-argp.patch: 3a08620f4907bff742b31a6f67651e4a3b21c179
   manual-document-mt-safety-arith.patch: a6f2df9755a82acf03faacd3844e32ff5336d033
-  manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
 Unapplied:
+  manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a6f2df9755a82acf03faacd3844e32ff5336d033

commit a6f2df9755a82acf03faacd3844e32ff5336d033
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.  
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1037ba670ee6fa52c0455717d21e7e75ce3fb9ef

commit 1037ba670ee6fa52c0455717d21e7e75ce3fb9ef
Merge: 3f1d89c 168f6d6 f02c0e2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:22 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3f1d89c572ccf3a5150faa0577314d34d359a95a

commit 3f1d89c572ccf3a5150faa0577314d34d359a95a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:22 2013 -0300

    push

diff --git a/meta b/meta
index 1bf113b..03244cf 100644
--- a/meta
+++ b/meta
@@ -1,14 +1,14 @@
 Version: 1
-Previous: 870a5eece5a3e5118f41a273a5e0d57218e66127
-Head: 3a08620f4907bff742b31a6f67651e4a3b21c179
+Previous: f02c0e21f0bcde96b0c9fba5082bfab8011f819b
+Head: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
   manual-document-mt-safety-argp.patch: 3a08620f4907bff742b31a6f67651e4a3b21c179
+  manual-document-mt-safety-arith.patch: a6f2df9755a82acf03faacd3844e32ff5336d033
+  manual-document-mt-safety-stdio.patch: 168f6d659bcb7106985edac12bc7b3a2110a7fb0
 Unapplied:
-  manual-document-mt-safety-arith.patch: 60f0d7aaa66504b3818d82ea8691b365f4f55dc5
-  manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 2977482..b25c52a 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
-Bottom: 6c9a45167e9f148c725e5d962b1cd083292f0adf
-Top:    77a9710ea0dc3422d900f3c93d406942e132693c
+Bottom: 159ee8e039a2ee1968f5b806b99cb2c568c31678
+Top:    7d1efa70a6263de6179afe2a9a443ea3375c3c65
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 8aae437..fb0f44d 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: e75a47b5ad278b7f85e5420cd63cda069e0b7030
-Top:    e394e37491899340294bfd977f43c098c558c2b1
+Bottom: 7d1efa70a6263de6179afe2a9a443ea3375c3c65
+Top:    9d00eea6735363e6e80869186f9fb160ee3e5642
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=168f6d659bcb7106985edac12bc7b3a2110a7fb0

commit 168f6d659bcb7106985edac12bc7b3a2110a7fb0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..7809dd4 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,12 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2669,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2677,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2685,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2693,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2701,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2709,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2785,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3026,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3278,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3342,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3959,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +3974,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +3989,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +3997,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4005,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4019,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4046,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4055,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4064,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4072,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4080,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4088,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4138,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4148,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4162,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4173,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4201,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4212,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4326,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4339,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4363,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4379,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4399,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4423,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4472,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4594,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4609,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4622,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4639,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4751,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4764,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4781,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4803,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4828,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4906,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4920,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4932,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4947,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4961,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +4972,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5020,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5076,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5192,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5374,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5515,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3a08620f4907bff742b31a6f67651e4a3b21c179

commit 3a08620f4907bff742b31a6f67651e4a3b21c179
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f02c0e21f0bcde96b0c9fba5082bfab8011f819b

commit f02c0e21f0bcde96b0c9fba5082bfab8011f819b
Merge: 80cd2a7 3a08620 870a5ee
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:13 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=80cd2a7119496bb7b8d9fbd2efc0734dfa4de5f5

commit 80cd2a7119496bb7b8d9fbd2efc0734dfa4de5f5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:13 2013 -0300

    float

diff --git a/meta b/meta
index 6ebdbd5..1bf113b 100644
--- a/meta
+++ b/meta
@@ -1,16 +1,16 @@
 Version: 1
-Previous: 55da5cc8b1a927b818e90ac3ebb021f1f93db170
-Head: 04381689562081fc1e2328e5807e0dc537c1c5fc
+Previous: 870a5eece5a3e5118f41a273a5e0d57218e66127
+Head: 3a08620f4907bff742b31a6f67651e4a3b21c179
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
+  manual-document-mt-safety-argp.patch: 3a08620f4907bff742b31a6f67651e4a3b21c179
 Unapplied:
   manual-document-mt-safety-arith.patch: 60f0d7aaa66504b3818d82ea8691b365f4f55dc5
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
-  manual-document-mt-safety-argp.patch: 9d7c8bd6707cd06cb1f10ff81ef6ae4c44704091
   manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index d575e96..5313e9f 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -1,5 +1,5 @@
-Bottom: a80e3502e79676408b83a0ee8d2c01161f2e1895
-Top:    a71a934d3af669b0a2a4656922c2a6cfd020181a
+Bottom: 6c9a45167e9f148c725e5d962b1cd083292f0adf
+Top:    159ee8e039a2ee1968f5b806b99cb2c568c31678
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 21:57:08 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=870a5eece5a3e5118f41a273a5e0d57218e66127

commit 870a5eece5a3e5118f41a273a5e0d57218e66127
Merge: 178ff64 55da5cc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:07 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=178ff64a45437921cbeedce8d650e2ec827fd205

commit 178ff64a45437921cbeedce8d650e2ec827fd205
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:07 2013 -0300

    pop

diff --git a/meta b/meta
index 66ba666..6ebdbd5 100644
--- a/meta
+++ b/meta
@@ -1,12 +1,12 @@
 Version: 1
-Previous: 4333c49a222db29650411bf35bcf96e650464ff9
-Head: 60f0d7aaa66504b3818d82ea8691b365f4f55dc5
+Previous: 55da5cc8b1a927b818e90ac3ebb021f1f93db170
+Head: 04381689562081fc1e2328e5807e0dc537c1c5fc
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
-  manual-document-mt-safety-arith.patch: 60f0d7aaa66504b3818d82ea8691b365f4f55dc5
 Unapplied:
+  manual-document-mt-safety-arith.patch: 60f0d7aaa66504b3818d82ea8691b365f4f55dc5
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=55da5cc8b1a927b818e90ac3ebb021f1f93db170

commit 55da5cc8b1a927b818e90ac3ebb021f1f93db170
Merge: 43832e8 60f0d7a 4333c49
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:06 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=43832e8a8aa6cffa171f6bc90c9f68f13ea8e03e

commit 43832e8a8aa6cffa171f6bc90c9f68f13ea8e03e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:06 2013 -0300

    refresh

diff --git a/meta b/meta
index 4b29503..66ba666 100644
--- a/meta
+++ b/meta
@@ -1,12 +1,11 @@
 Version: 1
-Previous: 0c3a0fd528c1aea76c88e92991b952428087e5a5
-Head: e100ba384a1bfa95f011c59ef9e535600dbbbf03
+Previous: 4333c49a222db29650411bf35bcf96e650464ff9
+Head: 60f0d7aaa66504b3818d82ea8691b365f4f55dc5
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
-  manual-document-mt-safety-arith.patch: b0aaf99a53ebe756b3b61930b0d42fd5b51dd71d
-  refresh-temp: e100ba384a1bfa95f011c59ef9e535600dbbbf03
+  manual-document-mt-safety-arith.patch: 60f0d7aaa66504b3818d82ea8691b365f4f55dc5
 Unapplied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 5f1c9c2..2977482 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
 Bottom: 6c9a45167e9f148c725e5d962b1cd083292f0adf
-Top:    e75a47b5ad278b7f85e5420cd63cda069e0b7030
+Top:    77a9710ea0dc3422d900f3c93d406942e132693c
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:40 -0300
 
@@ -13,7 +13,7 @@ for  ChangeLog
 ---
 
 diff --git a/manual/arith.texi b/manual/arith.texi
-index 77056c3..833e0c9 100644
+index 77056c3..5c3aa9d 100644
 --- a/manual/arith.texi
 +++ b/manual/arith.texi
 @@ -160,6 +160,8 @@ The remainder from the division.
@@ -49,7 +49,47 @@ index 77056c3..833e0c9 100644
  The @code{imaxdiv} function is like the @code{div} function, but the
  arguments are of type @code{intmax_t} and the result is returned as
  a structure of type @code{imaxdiv_t}.
-@@ -410,6 +415,7 @@ not have to worry about the type of their argument.
+@@ -318,6 +323,7 @@ floating-point number a variable holds.
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is a generic macro which works on all floating-point types and
+ which returns a value of type @code{int}.  The possible values are:
+ 
+@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is finite: not plus or
+ minus infinity, and not NaN.  It is equivalent to
+ 
+@@ -368,6 +375,7 @@ floating-point type.
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is finite and normalized.
+ It is equivalent to
+ 
+@@ -379,6 +387,7 @@ It is equivalent to
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
+ to
+ 
+@@ -390,6 +399,7 @@ to
+ @comment math.h
+ @comment GNU
+ @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is a signaling NaN
+ (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
+ extension.
+@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
  @comment math.h
  @comment BSD
  @deftypefunx int isinfl (long double @var{x})
@@ -57,7 +97,7 @@ index 77056c3..833e0c9 100644
  This function returns @code{-1} if @var{x} represents negative infinity,
  @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
  @end deftypefun
-@@ -423,6 +429,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
+@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
  @comment math.h
  @comment BSD
  @deftypefunx int isnanl (long double @var{x})
@@ -65,7 +105,7 @@ index 77056c3..833e0c9 100644
  This function returns a nonzero value if @var{x} is a ``not a number''
  value, and zero otherwise.
  
-@@ -445,6 +452,7 @@ function for some reason, you can write
+@@ -445,6 +457,7 @@ function for some reason, you can write
  @comment math.h
  @comment BSD
  @deftypefunx int finitel (long double @var{x})
@@ -73,7 +113,7 @@ index 77056c3..833e0c9 100644
  This function returns a nonzero value if @var{x} is finite or a ``not a
  number'' value, and zero otherwise.
  @end deftypefun
-@@ -713,6 +721,22 @@ and save and restore the set of exceptions flagged.
+@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
  @comment fenv.h
  @comment ISO
  @deftypefun int feclearexcept (int @var{excepts})
@@ -96,7 +136,7 @@ index 77056c3..833e0c9 100644
  This function clears all of the supported exception flags indicated by
  @var{excepts}.
  
-@@ -723,6 +747,7 @@ non-zero value otherwise.
+@@ -723,6 +752,7 @@ non-zero value otherwise.
  @comment fenv.h
  @comment ISO
  @deftypefun int feraiseexcept (int @var{excepts})
@@ -104,7 +144,7 @@ index 77056c3..833e0c9 100644
  This function raises the supported exceptions indicated by
  @var{excepts}.  If more than one exception bit in @var{excepts} is set
  the order in which the exceptions are raised is undefined except that
-@@ -738,6 +763,7 @@ non-zero value otherwise.
+@@ -738,6 +768,7 @@ non-zero value otherwise.
  @comment fenv.h
  @comment ISO
  @deftypefun int fetestexcept (int @var{excepts})
@@ -112,7 +152,7 @@ index 77056c3..833e0c9 100644
  Test whether the exception flags indicated by the parameter @var{except}
  are currently set.  If any of them are, a nonzero value is returned
  which specifies which exceptions are set.  Otherwise the result is zero.
-@@ -774,6 +800,7 @@ following functions:
+@@ -774,6 +805,7 @@ following functions:
  @comment fenv.h
  @comment ISO
  @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
@@ -120,7 +160,7 @@ index 77056c3..833e0c9 100644
  This function stores in the variable pointed to by @var{flagp} an
  implementation-defined value representing the current setting of the
  exception flags indicated by @var{excepts}.
-@@ -785,6 +812,7 @@ non-zero value otherwise.
+@@ -785,6 +817,7 @@ non-zero value otherwise.
  @comment fenv.h
  @comment ISO
  @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
@@ -128,7 +168,7 @@ index 77056c3..833e0c9 100644
  This function restores the flags for the exceptions indicated by
  @var{excepts} to the values stored in the variable pointed to by
  @var{flagp}.
-@@ -940,6 +968,7 @@ find out which one with this function:
+@@ -940,6 +973,7 @@ find out which one with this function:
  @comment fenv.h
  @comment ISO
  @deftypefun int fegetround (void)
@@ -136,7 +176,7 @@ index 77056c3..833e0c9 100644
  Returns the currently selected rounding mode, represented by one of the
  values of the defined rounding mode macros.
  @end deftypefun
-@@ -950,6 +979,7 @@ To change the rounding mode, use this function:
+@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
  @comment fenv.h
  @comment ISO
  @deftypefun int fesetround (int @var{round})
@@ -144,7 +184,7 @@ index 77056c3..833e0c9 100644
  Changes the currently selected rounding mode to @var{round}.  If
  @var{round} does not correspond to one of the supported rounding modes
  nothing is changed.  @code{fesetround} returns zero if it changed the
-@@ -994,6 +1024,7 @@ To save the state of the FPU, use one of these functions:
+@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
  @comment fenv.h
  @comment ISO
  @deftypefun int fegetenv (fenv_t *@var{envp})
@@ -152,7 +192,7 @@ index 77056c3..833e0c9 100644
  Store the floating-point environment in the variable pointed to by
  @var{envp}.
  
-@@ -1004,6 +1035,7 @@ non-zero value otherwise.
+@@ -1004,6 +1040,7 @@ non-zero value otherwise.
  @comment fenv.h
  @comment ISO
  @deftypefun int feholdexcept (fenv_t *@var{envp})
@@ -160,7 +200,7 @@ index 77056c3..833e0c9 100644
  Store the current floating-point environment in the object pointed to by
  @var{envp}.  Then clear all exception flags, and set the FPU to trap no
  exceptions.  Not all FPUs support trapping no exceptions; if
-@@ -1042,6 +1074,7 @@ functions:
+@@ -1042,6 +1079,7 @@ functions:
  @comment fenv.h
  @comment ISO
  @deftypefun int fesetenv (const fenv_t *@var{envp})
@@ -168,7 +208,7 @@ index 77056c3..833e0c9 100644
  Set the floating-point environment to that described by @var{envp}.
  
  The function returns zero in case the operation was successful, a
-@@ -1051,6 +1084,7 @@ non-zero value otherwise.
+@@ -1051,6 +1089,7 @@ non-zero value otherwise.
  @comment fenv.h
  @comment ISO
  @deftypefun int feupdateenv (const fenv_t *@var{envp})
@@ -176,7 +216,7 @@ index 77056c3..833e0c9 100644
  Like @code{fesetenv}, this function sets the floating-point environment
  to that described by @var{envp}.  However, if any exceptions were
  flagged in the status word before @code{feupdateenv} was called, they
-@@ -1071,6 +1105,7 @@ occur, you can use the following two functions.
+@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
  @comment fenv.h
  @comment GNU
  @deftypefun int feenableexcept (int @var{excepts})
@@ -184,7 +224,7 @@ index 77056c3..833e0c9 100644
  This functions enables traps for each of the exceptions as indicated by
  the parameter @var{except}.  The individual exceptions are described in
  @ref{Status bit operations}.  Only the specified exceptions are
-@@ -1083,6 +1118,7 @@ operation was successful, @code{-1} otherwise.
+@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
  @comment fenv.h
  @comment GNU
  @deftypefun int fedisableexcept (int @var{excepts})
@@ -192,7 +232,7 @@ index 77056c3..833e0c9 100644
  This functions disables traps for each of the exceptions as indicated by
  the parameter @var{except}.  The individual exceptions are described in
  @ref{Status bit operations}.  Only the specified exceptions are
-@@ -1095,6 +1131,7 @@ operation was successful, @code{-1} otherwise.
+@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
  @comment fenv.h
  @comment GNU
  @deftypefun int fegetexcept (void)
@@ -200,7 +240,7 @@ index 77056c3..833e0c9 100644
  The function returns a bitmask of all currently enabled exceptions.  It
  returns @code{-1} in case of failure.
  @end deftypefun
-@@ -1146,6 +1183,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
+@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
  @comment inttypes.h
  @comment ISO
  @deftypefunx intmax_t imaxabs (intmax_t @var{number})
@@ -208,7 +248,7 @@ index 77056c3..833e0c9 100644
  These functions return the absolute value of @var{number}.
  
  Most computers use a two's complement integer representation, in which
-@@ -1167,6 +1205,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
+@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} fabsl (long double @var{number})
@@ -216,7 +256,7 @@ index 77056c3..833e0c9 100644
  This function returns the absolute value of the floating-point number
  @var{number}.
  @end deftypefun
-@@ -1180,6 +1219,7 @@ This function returns the absolute value of the floating-point number
+@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
  @comment complex.h
  @comment ISO
  @deftypefunx {long double} cabsl (complex long double @var{z})
@@ -224,7 +264,7 @@ index 77056c3..833e0c9 100644
  These functions return the absolute  value of the complex number @var{z}
  (@pxref{Complex Numbers}).  The absolute value of a complex number is:
  
-@@ -1217,6 +1257,7 @@ All these functions are declared in @file{math.h}.
+@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
@@ -232,7 +272,7 @@ index 77056c3..833e0c9 100644
  These functions are used to split the number @var{value}
  into a normalized fraction and an exponent.
  
-@@ -1242,6 +1283,7 @@ zero is stored in @code{*@var{exponent}}.
+@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
@@ -240,7 +280,7 @@ index 77056c3..833e0c9 100644
  These functions return the result of multiplying the floating-point
  number @var{value} by 2 raised to the power @var{exponent}.  (It can
  be used to reassemble floating-point numbers that were taken apart
-@@ -1263,6 +1305,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
+@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
  @comment math.h
  @comment BSD
  @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
@@ -248,7 +288,7 @@ index 77056c3..833e0c9 100644
  The @code{scalb} function is the BSD name for @code{ldexp}.
  @end deftypefun
  
-@@ -1275,6 +1318,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
+@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
  @comment math.h
  @comment BSD
  @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
@@ -256,7 +296,7 @@ index 77056c3..833e0c9 100644
  @code{scalbn} is identical to @code{scalb}, except that the exponent
  @var{n} is an @code{int} instead of a floating-point number.
  @end deftypefun
-@@ -1288,6 +1332,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
+@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
  @comment math.h
  @comment BSD
  @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
@@ -264,7 +304,7 @@ index 77056c3..833e0c9 100644
  @code{scalbln} is identical to @code{scalb}, except that the exponent
  @var{n} is a @code{long int} instead of a floating-point number.
  @end deftypefun
-@@ -1301,6 +1346,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
+@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
  @comment math.h
  @comment BSD
  @deftypefunx {long double} significandl (long double @var{x})
@@ -272,7 +312,7 @@ index 77056c3..833e0c9 100644
  @code{significand} returns the mantissa of @var{x} scaled to the range
  @math{[1, 2)}.
  It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
-@@ -1335,6 +1381,7 @@ result as a @code{double} instead to get around this problem.
+@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} ceill (long double @var{x})
@@ -280,7 +320,7 @@ index 77056c3..833e0c9 100644
  These functions round @var{x} upwards to the nearest integer,
  returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
  is @code{2.0}.
-@@ -1349,6 +1396,7 @@ is @code{2.0}.
+@@ -1349,6 +1401,7 @@ is @code{2.0}.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} floorl (long double @var{x})
@@ -288,7 +328,7 @@ index 77056c3..833e0c9 100644
  These functions round @var{x} downwards to the nearest
  integer, returning that value as a @code{double}.  Thus, @code{floor
  (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
-@@ -1363,6 +1411,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
+@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
  @comment math.h
  @comment ISO
  @deftypefunx {long double} truncl (long double @var{x})
@@ -296,7 +336,7 @@ index 77056c3..833e0c9 100644
  The @code{trunc} functions round @var{x} towards zero to the nearest
  integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
  is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
-@@ -1377,6 +1426,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
+@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} rintl (long double @var{x})
@@ -304,7 +344,7 @@ index 77056c3..833e0c9 100644
  These functions round @var{x} to an integer value according to the
  current rounding mode.  @xref{Floating Point Parameters}, for
  information about the various rounding modes.  The default
-@@ -1397,6 +1447,7 @@ inexact exception.
+@@ -1397,6 +1452,7 @@ inexact exception.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} nearbyintl (long double @var{x})
@@ -312,7 +352,7 @@ index 77056c3..833e0c9 100644
  These functions return the same value as the @code{rint} functions, but
  do not raise the inexact exception if @var{x} is not an integer.
  @end deftypefun
-@@ -1410,6 +1461,7 @@ do not raise the inexact exception if @var{x} is not an integer.
+@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} roundl (long double @var{x})
@@ -320,7 +360,7 @@ index 77056c3..833e0c9 100644
  These functions are similar to @code{rint}, but they round halfway
  cases away from zero instead of to the nearest integer (or other
  current rounding mode).
-@@ -1424,6 +1476,7 @@ current rounding mode).
+@@ -1424,6 +1481,7 @@ current rounding mode).
  @comment math.h
  @comment ISO
  @deftypefunx {long int} lrintl (long double @var{x})
@@ -328,7 +368,7 @@ index 77056c3..833e0c9 100644
  These functions are just like @code{rint}, but they return a
  @code{long int} instead of a floating-point number.
  @end deftypefun
-@@ -1437,6 +1490,7 @@ These functions are just like @code{rint}, but they return a
+@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
  @comment math.h
  @comment ISO
  @deftypefunx {long long int} llrintl (long double @var{x})
@@ -336,7 +376,7 @@ index 77056c3..833e0c9 100644
  These functions are just like @code{rint}, but they return a
  @code{long long int} instead of a floating-point number.
  @end deftypefun
-@@ -1450,6 +1504,7 @@ These functions are just like @code{rint}, but they return a
+@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
  @comment math.h
  @comment ISO
  @deftypefunx {long int} lroundl (long double @var{x})
@@ -344,7 +384,7 @@ index 77056c3..833e0c9 100644
  These functions are just like @code{round}, but they return a
  @code{long int} instead of a floating-point number.
  @end deftypefun
-@@ -1463,6 +1518,7 @@ These functions are just like @code{round}, but they return a
+@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
  @comment math.h
  @comment ISO
  @deftypefunx {long long int} llroundl (long double @var{x})
@@ -352,7 +392,7 @@ index 77056c3..833e0c9 100644
  These functions are just like @code{round}, but they return a
  @code{long long int} instead of a floating-point number.
  @end deftypefun
-@@ -1477,6 +1533,7 @@ These functions are just like @code{round}, but they return a
+@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
  @comment math.h
  @comment ISO
  @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
@@ -360,7 +400,7 @@ index 77056c3..833e0c9 100644
  These functions break the argument @var{value} into an integer part and a
  fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
  equals @var{value}.  Each of the parts has the same sign as @var{value},
-@@ -1503,6 +1560,7 @@ suits your problem.
+@@ -1503,6 +1565,7 @@ suits your problem.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
@@ -368,7 +408,7 @@ index 77056c3..833e0c9 100644
  These functions compute the remainder from the division of
  @var{numerator} by @var{denominator}.  Specifically, the return value is
  @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
-@@ -1525,6 +1583,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
+@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
  @comment math.h
  @comment BSD
  @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
@@ -376,7 +416,7 @@ index 77056c3..833e0c9 100644
  These functions are like @code{fmod} except that they round the
  internal quotient @var{n} to the nearest integer instead of towards zero
  to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
-@@ -1548,6 +1607,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
+@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
  @comment math.h
  @comment BSD
  @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
@@ -384,7 +424,7 @@ index 77056c3..833e0c9 100644
  This function is another name for @code{drem}.
  @end deftypefun
  
-@@ -1569,6 +1629,7 @@ bits.
+@@ -1569,6 +1634,7 @@ bits.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
@@ -392,7 +432,7 @@ index 77056c3..833e0c9 100644
  These functions return @var{x} but with the sign of @var{y}.  They work
  even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
  sign (although not all implementations support it) and this is one of
-@@ -1584,6 +1645,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
+@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
  @comment math.h
  @comment ISO
  @deftypefun int signbit (@emph{float-type} @var{x})
@@ -400,7 +440,7 @@ index 77056c3..833e0c9 100644
  @code{signbit} is a generic macro which can work on all floating-point
  types.  It returns a nonzero value if the value of @var{x} has its sign
  bit set.
-@@ -1602,6 +1664,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
+@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
@@ -408,7 +448,7 @@ index 77056c3..833e0c9 100644
  The @code{nextafter} function returns the next representable neighbor of
  @var{x} in the direction towards @var{y}.  The size of the step between
  @var{x} and the result depends on the type of the result.  If
-@@ -1625,6 +1688,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
+@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
  @comment math.h
  @comment ISO
  @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
@@ -416,7 +456,7 @@ index 77056c3..833e0c9 100644
  These functions are identical to the corresponding versions of
  @code{nextafter} except that their second argument is a @code{long
  double}.
-@@ -1640,6 +1704,8 @@ double}.
+@@ -1640,6 +1709,8 @@ double}.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} nanl (const char *@var{tagp})
@@ -425,7 +465,7 @@ index 77056c3..833e0c9 100644
  The @code{nan} function returns a representation of NaN, provided that
  NaN is supported by the target platform.
  @code{nan ("@var{n-char-sequence}")} is equivalent to
-@@ -1674,6 +1740,7 @@ arguments only once.
+@@ -1674,6 +1745,7 @@ arguments only once.
  @comment math.h
  @comment ISO
  @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
@@ -433,7 +473,7 @@ index 77056c3..833e0c9 100644
  This macro determines whether the argument @var{x} is greater than
  @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
  exception is raised if @var{x} or @var{y} are NaN.
-@@ -1682,6 +1749,7 @@ exception is raised if @var{x} or @var{y} are NaN.
+@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
  @comment math.h
  @comment ISO
  @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
@@ -441,7 +481,7 @@ index 77056c3..833e0c9 100644
  This macro determines whether the argument @var{x} is greater than or
  equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
  exception is raised if @var{x} or @var{y} are NaN.
-@@ -1690,6 +1758,7 @@ exception is raised if @var{x} or @var{y} are NaN.
+@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
  @comment math.h
  @comment ISO
  @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
@@ -449,7 +489,7 @@ index 77056c3..833e0c9 100644
  This macro determines whether the argument @var{x} is less than @var{y}.
  It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
  raised if @var{x} or @var{y} are NaN.
-@@ -1698,6 +1767,7 @@ raised if @var{x} or @var{y} are NaN.
+@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
  @comment math.h
  @comment ISO
  @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
@@ -457,7 +497,7 @@ index 77056c3..833e0c9 100644
  This macro determines whether the argument @var{x} is less than or equal
  to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
  exception is raised if @var{x} or @var{y} are NaN.
-@@ -1706,6 +1776,7 @@ exception is raised if @var{x} or @var{y} are NaN.
+@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
  @comment math.h
  @comment ISO
  @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
@@ -465,7 +505,7 @@ index 77056c3..833e0c9 100644
  This macro determines whether the argument @var{x} is less or greater
  than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
  (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
-@@ -1718,6 +1789,7 @@ expression is true if @var{x} or @var{y} are NaN.
+@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
  @comment math.h
  @comment ISO
  @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
@@ -473,7 +513,7 @@ index 77056c3..833e0c9 100644
  This macro determines whether its arguments are unordered.  In other
  words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
  @end deftypefn
-@@ -1751,6 +1823,7 @@ perform these operations faster than the equivalent C code.
+@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
@@ -481,7 +521,7 @@ index 77056c3..833e0c9 100644
  The @code{fmin} function returns the lesser of the two values @var{x}
  and @var{y}.  It is similar to the expression
  @smallexample
-@@ -1771,6 +1844,7 @@ are NaN, NaN is returned.
+@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
@@ -489,7 +529,7 @@ index 77056c3..833e0c9 100644
  The @code{fmax} function returns the greater of the two values @var{x}
  and @var{y}.
  
-@@ -1787,6 +1861,7 @@ are NaN, NaN is returned.
+@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
  @comment math.h
  @comment ISO
  @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
@@ -497,7 +537,7 @@ index 77056c3..833e0c9 100644
  The @code{fdim} function returns the positive difference between
  @var{x} and @var{y}.  The positive difference is @math{@var{x} -
  @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
-@@ -1804,6 +1879,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
+@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
  @comment ISO
  @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
  @cindex butterfly
@@ -505,7 +545,7 @@ index 77056c3..833e0c9 100644
  The @code{fma} function performs floating-point multiply-add.  This is
  the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
  intermediate result is not rounded to the destination type.  This can
-@@ -1933,6 +2009,7 @@ available in three variants, one for each of the three complex types.
+@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
  @comment complex.h
  @comment ISO
  @deftypefunx {long double} creall (complex long double @var{z})
@@ -513,7 +553,7 @@ index 77056c3..833e0c9 100644
  These functions return the real part of the complex number @var{z}.
  @end deftypefun
  
-@@ -1945,6 +2022,7 @@ These functions return the real part of the complex number @var{z}.
+@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
  @comment complex.h
  @comment ISO
  @deftypefunx {long double} cimagl (complex long double @var{z})
@@ -521,7 +561,7 @@ index 77056c3..833e0c9 100644
  These functions return the imaginary part of the complex number @var{z}.
  @end deftypefun
  
-@@ -1957,6 +2035,7 @@ These functions return the imaginary part of the complex number @var{z}.
+@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
  @comment complex.h
  @comment ISO
  @deftypefunx {complex long double} conjl (complex long double @var{z})
@@ -529,7 +569,7 @@ index 77056c3..833e0c9 100644
  These functions return the conjugate value of the complex number
  @var{z}.  The conjugate of a complex number has the same real part and a
  negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
-@@ -1971,6 +2050,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
+@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
  @comment complex.h
  @comment ISO
  @deftypefunx {long double} cargl (complex long double @var{z})
@@ -537,7 +577,7 @@ index 77056c3..833e0c9 100644
  These functions return the argument of the complex number @var{z}.
  The argument of a complex number is the angle in the complex plane
  between the positive real axis and a line passing through zero and the
-@@ -1989,6 +2069,7 @@ number.  This angle is measured in the usual fashion and ranges from
+@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
  @comment complex.h
  @comment ISO
  @deftypefunx {complex long double} cprojl (complex long double @var{z})
@@ -545,7 +585,7 @@ index 77056c3..833e0c9 100644
  These functions return the projection of the complex value @var{z} onto
  the Riemann sphere.  Values with a infinite imaginary part are projected
  to positive infinity on the real axis, even if the real part is NaN.  If
-@@ -2034,6 +2115,16 @@ as well.
+@@ -2034,6 +2120,16 @@ as well.
  @comment stdlib.h
  @comment ISO
  @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
@@ -562,7 +602,7 @@ index 77056c3..833e0c9 100644
  The @code{strtol} (``string-to-long'') function converts the initial
  part of @var{string} to a signed integer, which is returned as a value
  of type @code{long int}.
-@@ -2097,6 +2188,7 @@ There is an example at the end of this section.
+@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
  @comment wchar.h
  @comment ISO
  @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
@@ -570,7 +610,7 @@ index 77056c3..833e0c9 100644
  The @code{wcstol} function is equivalent to the @code{strtol} function
  in nearly all aspects but handles wide character strings.
  
-@@ -2106,6 +2198,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
+@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
  @comment stdlib.h
  @comment ISO
  @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
@@ -578,7 +618,7 @@ index 77056c3..833e0c9 100644
  The @code{strtoul} (``string-to-unsigned-long'') function is like
  @code{strtol} except it converts to an @code{unsigned long int} value.
  The syntax is the same as described above for @code{strtol}.  The value
-@@ -2124,6 +2217,7 @@ range, or @code{ERANGE} on overflow.
+@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
  @comment wchar.h
  @comment ISO
  @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
@@ -586,7 +626,7 @@ index 77056c3..833e0c9 100644
  The @code{wcstoul} function is equivalent to the @code{strtoul} function
  in nearly all aspects but handles wide character strings.
  
-@@ -2133,6 +2227,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
+@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
  @comment stdlib.h
  @comment ISO
  @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
@@ -594,7 +634,7 @@ index 77056c3..833e0c9 100644
  The @code{strtoll} function is like @code{strtol} except that it returns
  a @code{long long int} value, and accepts numbers with a correspondingly
  larger range.
-@@ -2149,6 +2244,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
+@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
  @comment wchar.h
  @comment ISO
  @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
@@ -602,7 +642,7 @@ index 77056c3..833e0c9 100644
  The @code{wcstoll} function is equivalent to the @code{strtoll} function
  in nearly all aspects but handles wide character strings.
  
-@@ -2158,12 +2254,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
+@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
  @comment stdlib.h
  @comment BSD
  @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
@@ -617,7 +657,7 @@ index 77056c3..833e0c9 100644
  The @code{wcstoq} function is equivalent to the @code{strtoq} function
  in nearly all aspects but handles wide character strings.
  
-@@ -2173,6 +2271,7 @@ The @code{wcstoq} function is a GNU extension.
+@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
  @comment stdlib.h
  @comment ISO
  @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
@@ -625,7 +665,7 @@ index 77056c3..833e0c9 100644
  The @code{strtoull} function is related to @code{strtoll} the same way
  @code{strtoul} is related to @code{strtol}.
  
-@@ -2182,6 +2281,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
+@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
  @comment wchar.h
  @comment ISO
  @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
@@ -633,7 +673,7 @@ index 77056c3..833e0c9 100644
  The @code{wcstoull} function is equivalent to the @code{strtoull} function
  in nearly all aspects but handles wide character strings.
  
-@@ -2191,12 +2291,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
+@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
  @comment stdlib.h
  @comment BSD
  @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
@@ -648,7 +688,7 @@ index 77056c3..833e0c9 100644
  The @code{wcstouq} function is equivalent to the @code{strtouq} function
  in nearly all aspects but handles wide character strings.
  
-@@ -2206,6 +2308,7 @@ The @code{wcstouq} function is a GNU extension.
+@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
  @comment inttypes.h
  @comment ISO
  @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
@@ -656,7 +696,7 @@ index 77056c3..833e0c9 100644
  The @code{strtoimax} function is like @code{strtol} except that it returns
  a @code{intmax_t} value, and accepts numbers of a corresponding range.
  
-@@ -2222,6 +2325,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
+@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
  @comment wchar.h
  @comment ISO
  @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
@@ -664,7 +704,7 @@ index 77056c3..833e0c9 100644
  The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
  in nearly all aspects but handles wide character strings.
  
-@@ -2231,6 +2335,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
+@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
  @comment inttypes.h
  @comment ISO
  @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
@@ -672,7 +712,7 @@ index 77056c3..833e0c9 100644
  The @code{strtoumax} function is related to @code{strtoimax}
  the same way that @code{strtoul} is related to @code{strtol}.
  
-@@ -2241,6 +2346,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
+@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
  @comment wchar.h
  @comment ISO
  @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
@@ -680,7 +720,7 @@ index 77056c3..833e0c9 100644
  The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
  in nearly all aspects but handles wide character strings.
  
-@@ -2250,6 +2356,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
+@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
  @comment stdlib.h
  @comment ISO
  @deftypefun {long int} atol (const char *@var{string})
@@ -688,7 +728,7 @@ index 77056c3..833e0c9 100644
  This function is similar to the @code{strtol} function with a @var{base}
  argument of @code{10}, except that it need not detect overflow errors.
  The @code{atol} function is provided mostly for compatibility with
-@@ -2259,6 +2366,7 @@ existing code; using @code{strtol} is more robust.
+@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
  @comment stdlib.h
  @comment ISO
  @deftypefun int atoi (const char *@var{string})
@@ -696,7 +736,7 @@ index 77056c3..833e0c9 100644
  This function is like @code{atol}, except that it returns an @code{int}.
  The @code{atoi} function is also considered obsolete; use @code{strtol}
  instead.
-@@ -2267,6 +2375,7 @@ instead.
+@@ -2267,6 +2380,7 @@ instead.
  @comment stdlib.h
  @comment ISO
  @deftypefun {long long int} atoll (const char *@var{string})
@@ -704,17 +744,43 @@ index 77056c3..833e0c9 100644
  This function is similar to @code{atol}, except it returns a @code{long
  long int}.
  
-@@ -2331,6 +2440,9 @@ as well.
+@@ -2331,6 +2445,35 @@ as well.
  @comment stdlib.h
  @comment ISO
  @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
 +@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 +@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
 +@c mpn, but it's all safe.
++@c
++@c round_and_return
++@c   get_rounding_mode ok
++@c   mpn_add_1 ok
++@c   mpn_rshift ok
++@c   MPN_ZERO ok
++@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
++@c str_to_mpn
++@c   mpn_mul_1 -> umul_ppmm ok
++@c   mpn_add_1 ok
++@c mpn_lshift_1 -> mpn_lshift ok
++@c STRTOF_INTERNAL
++@c   MPN_VAR ok
++@c   SET_MANTISSA ok
++@c   STRNCASECMP ok, wide and narrow
++@c   round_and_return ok
++@c   mpn_mul ok
++@c     mpn_addmul_1 ok
++@c     ... mpn_sub
++@c   mpn_lshift ok
++@c   udiv_qrnnd ok
++@c   count_leading_zeros ok
++@c   add_ssaaaa ok
++@c   sub_ddmmss ok
++@c   umul_ppmm ok
++@c   mpn_submul_1 ok
  The @code{strtod} (``string-to-double'') function converts the initial
  part of @var{string} to a floating-point number, which is returned as a
  value of type @code{double}.
-@@ -2416,6 +2528,7 @@ examining @var{errno} and @var{tailptr}.
+@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
  @comment stdlib.h
  @comment ISO
  @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
@@ -722,7 +788,7 @@ index 77056c3..833e0c9 100644
  These functions are analogous to @code{strtod}, but return @code{float}
  and @code{long double} values respectively.  They report errors in the
  same way as @code{strtod}.  @code{strtof} can be substantially faster
-@@ -2435,6 +2548,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
+@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
  @comment stdlib.h
  @comment ISO
  @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
@@ -730,7 +796,7 @@ index 77056c3..833e0c9 100644
  The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
  equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
  @code{strtold} functions but it handles wide character string.
-@@ -2447,6 +2561,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
+@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
  @comment stdlib.h
  @comment ISO
  @deftypefun double atof (const char *@var{string})
@@ -738,7 +804,7 @@ index 77056c3..833e0c9 100644
  This function is similar to the @code{strtod} function, except that it
  need not detect overflow and underflow errors.  The @code{atof} function
  is provided mostly for compatibility with existing code; using
-@@ -2473,6 +2588,7 @@ All these functions are defined in @file{stdlib.h}.
+@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
  @comment stdlib.h
  @comment SVID, Unix98
  @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
@@ -746,7 +812,7 @@ index 77056c3..833e0c9 100644
  The function @code{ecvt} converts the floating-point number @var{value}
  to a string with at most @var{ndigit} decimal digits.  The
  returned string contains no decimal point or sign. The first digit of
-@@ -2498,6 +2614,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
+@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
  @comment stdlib.h
  @comment SVID, Unix98
  @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
@@ -754,7 +820,7 @@ index 77056c3..833e0c9 100644
  The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
  the number of digits after the decimal point.  If @var{ndigit} is less
  than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
-@@ -2516,6 +2633,9 @@ to @code{fcvt}.
+@@ -2516,6 +2664,9 @@ to @code{fcvt}.
  @comment stdlib.h
  @comment SVID, Unix98
  @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
@@ -764,7 +830,7 @@ index 77056c3..833e0c9 100644
  @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
  ndigit, value}.  It is provided only for compatibility's sake.  It
  returns @var{buf}.
-@@ -2530,6 +2650,7 @@ functions that take @code{long double} arguments.
+@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
  @comment stdlib.h
  @comment GNU
  @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
@@ -772,7 +838,7 @@ index 77056c3..833e0c9 100644
  This function is equivalent to @code{ecvt} except that it takes a
  @code{long double} for the first parameter and that @var{ndigit} is
  restricted by the precision of a @code{long double}.
-@@ -2538,6 +2659,7 @@ restricted by the precision of a @code{long double}.
+@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
  @comment stdlib.h
  @comment GNU
  @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
@@ -780,7 +846,7 @@ index 77056c3..833e0c9 100644
  This function is equivalent to @code{fcvt} except that it
  takes a @code{long double} for the first parameter and that @var{ndigit} is
  restricted by the precision of a @code{long double}.
-@@ -2546,6 +2668,7 @@ restricted by the precision of a @code{long double}.
+@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
  @comment stdlib.h
  @comment GNU
  @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
@@ -788,7 +854,7 @@ index 77056c3..833e0c9 100644
  This function is equivalent to @code{gcvt} except that it takes a
  @code{long double} for the first parameter and that @var{ndigit} is
  restricted by the precision of a @code{long double}.
-@@ -2566,6 +2689,7 @@ user-supplied buffer.
+@@ -2566,6 +2720,7 @@ user-supplied buffer.
  @comment stdlib.h
  @comment GNU
  @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
@@ -796,7 +862,7 @@ index 77056c3..833e0c9 100644
  The @code{ecvt_r} function is the same as @code{ecvt}, except
  that it places its result into the user-specified buffer pointed to by
  @var{buf}, with length @var{len}.  The return value is @code{-1} in
-@@ -2577,6 +2701,7 @@ This function is a GNU extension.
+@@ -2577,6 +2732,7 @@ This function is a GNU extension.
  @comment stdlib.h
  @comment SVID, Unix98
  @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
@@ -804,7 +870,7 @@ index 77056c3..833e0c9 100644
  The @code{fcvt_r} function is the same as @code{fcvt}, except that it
  places its result into the user-specified buffer pointed to by
  @var{buf}, with length @var{len}.  The return value is @code{-1} in
-@@ -2588,6 +2713,7 @@ This function is a GNU extension.
+@@ -2588,6 +2744,7 @@ This function is a GNU extension.
  @comment stdlib.h
  @comment GNU
  @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
@@ -812,7 +878,7 @@ index 77056c3..833e0c9 100644
  The @code{qecvt_r} function is the same as @code{qecvt}, except
  that it places its result into the user-specified buffer pointed to by
  @var{buf}, with length @var{len}.  The return value is @code{-1} in
-@@ -2599,6 +2725,7 @@ This function is a GNU extension.
+@@ -2599,6 +2756,7 @@ This function is a GNU extension.
  @comment stdlib.h
  @comment GNU
  @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 1950b7a..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,86 +0,0 @@
-Bottom: e75a47b5ad278b7f85e5420cd63cda069e0b7030
-Top:    77a9710ea0dc3422d900f3c93d406942e132693c
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 22:00:05 -0300
-
-Refresh of manual-document-mt-safety-arith.patch
-
----
-
-diff --git a/manual/arith.texi b/manual/arith.texi
-index 833e0c9..5c3aa9d 100644
---- a/manual/arith.texi
-+++ b/manual/arith.texi
-@@ -323,6 +323,7 @@ floating-point number a variable holds.
- @comment math.h
- @comment ISO
- @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is a generic macro which works on all floating-point types and
- which returns a value of type @code{int}.  The possible values are:
- 
-@@ -359,6 +360,7 @@ You should therefore use the specific macros whenever possible.
- @comment math.h
- @comment ISO
- @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns a nonzero value if @var{x} is finite: not plus or
- minus infinity, and not NaN.  It is equivalent to
- 
-@@ -373,6 +375,7 @@ floating-point type.
- @comment math.h
- @comment ISO
- @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns a nonzero value if @var{x} is finite and normalized.
- It is equivalent to
- 
-@@ -384,6 +387,7 @@ It is equivalent to
- @comment math.h
- @comment ISO
- @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
- to
- 
-@@ -395,6 +399,7 @@ to
- @comment math.h
- @comment GNU
- @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This macro returns a nonzero value if @var{x} is a signaling NaN
- (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
- extension.
-@@ -2443,6 +2448,32 @@ as well.
- @safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
- @c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
- @c mpn, but it's all safe.
-+@c
-+@c round_and_return
-+@c   get_rounding_mode ok
-+@c   mpn_add_1 ok
-+@c   mpn_rshift ok
-+@c   MPN_ZERO ok
-+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
-+@c str_to_mpn
-+@c   mpn_mul_1 -> umul_ppmm ok
-+@c   mpn_add_1 ok
-+@c mpn_lshift_1 -> mpn_lshift ok
-+@c STRTOF_INTERNAL
-+@c   MPN_VAR ok
-+@c   SET_MANTISSA ok
-+@c   STRNCASECMP ok, wide and narrow
-+@c   round_and_return ok
-+@c   mpn_mul ok
-+@c     mpn_addmul_1 ok
-+@c     ... mpn_sub
-+@c   mpn_lshift ok
-+@c   udiv_qrnnd ok
-+@c   count_leading_zeros ok
-+@c   add_ssaaaa ok
-+@c   sub_ddmmss ok
-+@c   umul_ppmm ok
-+@c   mpn_submul_1 ok
- The @code{strtod} (``string-to-double'') function converts the initial
- part of @var{string} to a floating-point number, which is returned as a
- value of type @code{double}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4333c49a222db29650411bf35bcf96e650464ff9

commit 4333c49a222db29650411bf35bcf96e650464ff9
Merge: 15f6d5c 0c3a0fd e100ba3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:06 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=15f6d5c35067e03be01c127bcfd9e2e9fe1b8533

commit 15f6d5c35067e03be01c127bcfd9e2e9fe1b8533
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:06 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index ec1a72d..4b29503 100644
--- a/meta
+++ b/meta
@@ -1,11 +1,12 @@
 Version: 1
-Previous: a9a80d7db412a35452f3cf4e4409c2b8f57c906f
-Head: b0aaf99a53ebe756b3b61930b0d42fd5b51dd71d
+Previous: 0c3a0fd528c1aea76c88e92991b952428087e5a5
+Head: e100ba384a1bfa95f011c59ef9e535600dbbbf03
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
   manual-document-mt-safety-arith.patch: b0aaf99a53ebe756b3b61930b0d42fd5b51dd71d
+  refresh-temp: e100ba384a1bfa95f011c59ef9e535600dbbbf03
 Unapplied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..1950b7a
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,86 @@
+Bottom: e75a47b5ad278b7f85e5420cd63cda069e0b7030
+Top:    77a9710ea0dc3422d900f3c93d406942e132693c
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 22:00:05 -0300
+
+Refresh of manual-document-mt-safety-arith.patch
+
+---
+
+diff --git a/manual/arith.texi b/manual/arith.texi
+index 833e0c9..5c3aa9d 100644
+--- a/manual/arith.texi
++++ b/manual/arith.texi
+@@ -323,6 +323,7 @@ floating-point number a variable holds.
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is a generic macro which works on all floating-point types and
+ which returns a value of type @code{int}.  The possible values are:
+ 
+@@ -359,6 +360,7 @@ You should therefore use the specific macros whenever possible.
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is finite: not plus or
+ minus infinity, and not NaN.  It is equivalent to
+ 
+@@ -373,6 +375,7 @@ floating-point type.
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is finite and normalized.
+ It is equivalent to
+ 
+@@ -384,6 +387,7 @@ It is equivalent to
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
+ to
+ 
+@@ -395,6 +399,7 @@ to
+ @comment math.h
+ @comment GNU
+ @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is a signaling NaN
+ (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
+ extension.
+@@ -2443,6 +2448,32 @@ as well.
+ @safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ @c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+ @c mpn, but it's all safe.
++@c
++@c round_and_return
++@c   get_rounding_mode ok
++@c   mpn_add_1 ok
++@c   mpn_rshift ok
++@c   MPN_ZERO ok
++@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
++@c str_to_mpn
++@c   mpn_mul_1 -> umul_ppmm ok
++@c   mpn_add_1 ok
++@c mpn_lshift_1 -> mpn_lshift ok
++@c STRTOF_INTERNAL
++@c   MPN_VAR ok
++@c   SET_MANTISSA ok
++@c   STRNCASECMP ok, wide and narrow
++@c   round_and_return ok
++@c   mpn_mul ok
++@c     mpn_addmul_1 ok
++@c     ... mpn_sub
++@c   mpn_lshift ok
++@c   udiv_qrnnd ok
++@c   count_leading_zeros ok
++@c   add_ssaaaa ok
++@c   sub_ddmmss ok
++@c   umul_ppmm ok
++@c   mpn_submul_1 ok
+ The @code{strtod} (``string-to-double'') function converts the initial
+ part of @var{string} to a floating-point number, which is returned as a
+ value of type @code{double}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e100ba384a1bfa95f011c59ef9e535600dbbbf03

commit e100ba384a1bfa95f011c59ef9e535600dbbbf03
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 22:00:05 2013 -0300

    Refresh of manual-document-mt-safety-arith.patch

diff --git a/manual/arith.texi b/manual/arith.texi
index 833e0c9..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -323,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -359,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -373,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -384,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -395,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -2443,6 +2448,32 @@ as well.
 @safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
 @c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0c3a0fd528c1aea76c88e92991b952428087e5a5

commit 0c3a0fd528c1aea76c88e92991b952428087e5a5
Merge: 3aac299 a9a80d7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:59:00 2013 -0300

    goto


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3aac29928db4613c0439ea41f186f8c7c94a98c4

commit 3aac29928db4613c0439ea41f186f8c7c94a98c4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:59:00 2013 -0300

    goto

diff --git a/meta b/meta
index 0cac905..ec1a72d 100644
--- a/meta
+++ b/meta
@@ -1,16 +1,16 @@
 Version: 1
-Previous: 96ebb1e30dfff4c328081e6ba98ee59e9a16d520
-Head: 9d7c8bd6707cd06cb1f10ff81ef6ae4c44704091
+Previous: a9a80d7db412a35452f3cf4e4409c2b8f57c906f
+Head: b0aaf99a53ebe756b3b61930b0d42fd5b51dd71d
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
   unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
   manual-document-mt-safety-arith.patch: b0aaf99a53ebe756b3b61930b0d42fd5b51dd71d
+Unapplied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
   manual-document-mt-safety-argp.patch: 9d7c8bd6707cd06cb1f10ff81ef6ae4c44704091
-Unapplied:
   manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a9a80d7db412a35452f3cf4e4409c2b8f57c906f

commit a9a80d7db412a35452f3cf4e4409c2b8f57c906f
Merge: 96fada4 9d7c8bd 96ebb1e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:58:08 2013 -0300

    edit


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=96fada49944a65715ea9527fe936c5cb703066d8

commit 96fada49944a65715ea9527fe936c5cb703066d8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:58:08 2013 -0300

    edit

diff --git a/meta b/meta
index 5d9f62a..0cac905 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7e8611dfbf8a75c282b47f6b161e96476686f52e
-Head: 9c72e170ce965fba178d57de917a65654076047c
+Previous: 96ebb1e30dfff4c328081e6ba98ee59e9a16d520
+Head: 9d7c8bd6707cd06cb1f10ff81ef6ae4c44704091
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,7 +10,7 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
-  manual-document-mt-safety-argp.patch: 9c72e170ce965fba178d57de917a65654076047c
+  manual-document-mt-safety-argp.patch: 9d7c8bd6707cd06cb1f10ff81ef6ae4c44704091
 Unapplied:
   manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
index 61f2f79..d575e96 100644
--- a/patches/manual-document-mt-safety-argp.patch
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -7,7 +7,7 @@ Thread safety documentation.
 
 for ChangeLog
 
-	* manual/???.texi: Document thread safety properties.
+	* manual/argp.texi: Document thread safety properties.
 
 
 ---

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9d7c8bd6707cd06cb1f10ff81ef6ae4c44704091

commit 9d7c8bd6707cd06cb1f10ff81ef6ae4c44704091
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/argp.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=96ebb1e30dfff4c328081e6ba98ee59e9a16d520

commit 96ebb1e30dfff4c328081e6ba98ee59e9a16d520
Merge: d9b0b74 9c72e17 7e8611d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    import


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d9b0b74c401b64500244517f1adf29c170ffd33e

commit d9b0b74c401b64500244517f1adf29c170ffd33e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    import

diff --git a/meta b/meta
index 54c22b4..5d9f62a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: d11da2b66d5e92c15d1fc15f0ea42641d2461e28
-Head: 263eed84f16353fb704fac8338422fb3f7b863fb
+Previous: 7e8611dfbf8a75c282b47f6b161e96476686f52e
+Head: 9c72e170ce965fba178d57de917a65654076047c
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,7 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
+  manual-document-mt-safety-argp.patch: 9c72e170ce965fba178d57de917a65654076047c
 Unapplied:
   manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Hidden:
diff --git a/patches/manual-document-mt-safety-argp.patch b/patches/manual-document-mt-safety-argp.patch
new file mode 100644
index 0000000..61f2f79
--- /dev/null
+++ b/patches/manual-document-mt-safety-argp.patch
@@ -0,0 +1,241 @@
+Bottom: a80e3502e79676408b83a0ee8d2c01161f2e1895
+Top:    a71a934d3af669b0a2a4656922c2a6cfd020181a
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 21:57:08 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/???.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/argp.texi b/manual/argp.texi
+index c9fbe97..5322f91 100644
+--- a/manual/argp.texi
++++ b/manual/argp.texi
+@@ -36,6 +36,35 @@ needed in @code{main}.
+ @comment argp.h
+ @comment GNU
+ @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
++@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
++@c Optionally alloca()tes standard help options, initializes the parser,
++@c then parses individual args in a loop, and then finalizes.
++@c  parser_init
++@c   calc_sizes ok
++@c    option_is_end ok
++@c   malloc
++@c   parser_convert glocale
++@c    convert_options glocale
++@c     option_is_end ok
++@c     option_is_short ok
++@c      isprint, but locale may change within the loop
++@c     find_long_option ok
++@c   group_parse
++@c    group->parser (from argp->parser)
++@c  parser_parse_next
++@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
++@c   parser_parse_arg
++@c    group_parse
++@c   parser_parse_opt
++@c    group_parse
++@c    argp_error
++@c    dgettext (bad key error)
++@c  parser_finalize
++@c   group_parse
++@c   fprintf
++@c   dgettext
++@c   arg_state_help
++@c   free
+ The @code{argp_parse} function parses the arguments in @var{argv}, of
+ length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
+ Parsers}.  Passing a null pointer for @var{argp} is the same as using
+@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_usage (const struct argp_state *@var{state})
++@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
++@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
+ Outputs the standard usage message for the argp parser referred to by
+ @var{state} to @code{@var{state}->err_stream} and terminate the program
+ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
+@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
++@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
++@c Lock stream, vasprintf the formatted message into a buffer, print the
++@c buffer prefixed by the short program name (in libc,
++@c argp_short_program_name is a macro that expands to
++@c program_invocation_short_name), releases the buffer, then call
++@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
++@c stream at the end.
+ Prints the printf format string @var{fmt} and following args, preceded
+ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
+ --help}} message, and terminates the program with an exit status of
+@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
++@c Lock stream, write out the short program name, vasprintf the optional
++@c formatted message to a buffer, print the buffer prefixed by colon and
++@c blank, release the buffer, call strerror_r with an automatic buffer,
++@c print it out after colon and blank, put[w]c a line break, unlock the
++@c stream, then exit unless ARGP_NO_EXIT.
+ Similar to the standard gnu error-reporting function @code{error}, this
+ prints the program name and @samp{:}, the printf format string
+ @var{fmt}, and the appropriate following args.  If it is non-zero, the
+@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
++@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
++@c Just calls _help with the short program name and optionally exit.
++@c The main problems in _help, besides the usual issues with stream I/O
++@c and translation, are the use of a static buffer (uparams) that makes
++@c the whole thing thread-unsafe, reading from the environment for
++@c ARGP_HELP_FMT, accessing the locale object multiple times.
++
++@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c  dgettext asi18n
++@c  flockfile lockleak
++@c  funlockfile lockleak
++@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
++@c   argp_failure dup (status = errnum = 0)
++@c   atoi dup
++@c  argp_hol asmalloc, memleak
++@c   make_hol asmalloc, memleak
++@c   hol_add_cluster asmalloc, memleak
++@c   hol_append asmalloc, memleak
++@c  hol_set_group ok
++@c   hol_find_entry ok
++@c  hol_sort glocale, asmalloc, memleak
++@c   qsort asmalloc, memleak
++@c    hol_entry_qcmp glocale
++@c     hol_entry_cmp glocale
++@c      group_cmp ok
++@c      hol_cluster_cmp ok
++@c       group_cmp ok
++@c      hol_entry_first_short glocale
++@c       hol_entry_short_iterate [glocale]
++@c        until_short ok
++@c         oshort ok
++@c          isprint ok
++@c      odoc ok
++@c      hol_entry_first_long ok
++@c      canon_doc_option glocale
++@c      tolower dup
++@c  hol_usage glocale, asi18n, asmalloc, memleak
++@c   hol_entry_short_iterate ok
++@c    add_argless_short_opt ok
++@c   argp_fmtstream_printf dup
++@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
++@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
++@c     dgettext dup
++@c     argp_fmtstream_printf dup
++@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
++@c    usage_long_opt glocale, asi18n, asmalloc, memleak
++@c     dgettext dup
++@c     argp_fmtstream_printf dup
++@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c    argp_fmtstream_set_lmargin dup
++@c    argp_fmtstream_wmargin dup
++@c    argp_fmtstream_set_wmargin dup
++@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c     argp_fmtstream_putc dup
++@c     hol_cluster_is_child ok
++@c     argp_fmtstream_wmargin dup
++@c     print_header dup
++@c     argp_fmtstream_set_wmargin dup
++@c     argp_fmtstream_puts dup
++@c     indent_to dup
++@c    argp_fmtstream_putc dup
++@c    arg glocale, asmalloc, memleak
++@c     argp_fmtstream_printf dup
++@c    odoc dup
++@c    argp_fmtstream_puts dup
++@c    argp_fmtstream_printf dup
++@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c     dgettext dup
++@c     filter_doc dup
++@c     argp_fmtstream_putc dup
++@c     indent_to dup
++@c     argp_fmtstream_set_lmargin dup
++@c     argp_fmtstream_set_wmargin dup
++@c     argp_fmtstream_puts dup
++@c     free dup
++@c    filter_doc dup
++@c    argp_fmtstream_point dup
++@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c     argp_fmtstream_point dup
++@c     argp_fmtstream_putc dup
++@c   dgettext dup
++@c   filter_doc dup
++@c   argp_fmtstream_putc dup
++@c   argp_fmtstream_puts dup
++@c   free dup
++@c  hol_free asmalloc, memleak
++@c   free dup
++@c  argp_args_levels ok
++@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
++@c   dgettext dup
++@c   filter_doc ok
++@c    argp_input ok
++@c    argp->help_filter
++@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c    argp_fmtstream_point dup
++@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
++@c     argp_fmtstream_update dup
++@c    argp_fmtstream_putc dup
++@c   argp_fmtstream_write dup
++@c   free dup
++@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c   dgettext asi18n
++@c   strndup asmalloc, memleak
++@c   argp_input dup
++@c   argp->help_filter
++@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c    argp_fmtstream_ensure dup
++@c   argp_fmtstream_write dup
++@c   argp_fmtstream_puts dup
++@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
++@c    argp_fmtstream_update dup
++@c   argp_fmtstream_lmargin dup
++@c   free dup
++@c  argp_make_fmtstream asmalloc, memleak
++@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
++@c    put[w]c_unlocked dup
++@c    isblank in loop glocale
++@c    fxprintf lockleak
++@c   fxprintf lockleak
++@c   free dup
++@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
++@c   argp_fmtstream_update dup
++@c  argp_fmtstream_printf glocale, asmalloc, memleak
++@c   argp_fmtstream_ensure dup
++@c   vsnprintf dup
++@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
++@c   argp_fmtstream_update dup
++@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c     argp_fmtstream_update dup
++@c     fxprintf lockleak
++@c     realloc asmalloc, memleak
+ Outputs a help message for the argp parser referred to by @var{state},
+ to @var{stream}.  The @var{flags} argument determines what sort of help
+ message is produced.  @xref{Argp Help Flags}.
+@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
++@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
++@c Just calls _help.  
+ This outputs a help message for the argp parser @var{argp} to
+ @var{stream}.  The type of messages printed will be determined by
+ @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9c72e170ce965fba178d57de917a65654076047c

commit 9c72e170ce965fba178d57de917a65654076047c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:57:08 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/???.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7e8611dfbf8a75c282b47f6b161e96476686f52e

commit 7e8611dfbf8a75c282b47f6b161e96476686f52e
Merge: 8e11c55 d11da2b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:55:25 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8e11c554371a8a899acb151eef8276c929386ca5

commit 8e11c554371a8a899acb151eef8276c929386ca5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:55:25 2013 -0300

    pop

diff --git a/meta b/meta
index 8d20da7..54c22b4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 787273f6143b548e5f11f11b3c3c95fa45db9c4c
-Head: 373cd1281ba686c2fef8b1307137684c40b28058
+Previous: d11da2b66d5e92c15d1fc15f0ea42641d2461e28
+Head: 263eed84f16353fb704fac8338422fb3f7b863fb
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
-  manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Unapplied:
+  manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d11da2b66d5e92c15d1fc15f0ea42641d2461e28

commit d11da2b66d5e92c15d1fc15f0ea42641d2461e28
Merge: c10c502 787273f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:55:17 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c10c50214e1269808d0662d71ccd99f3c32d2ce3

commit c10c50214e1269808d0662d71ccd99f3c32d2ce3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:55:17 2013 -0300

    push

diff --git a/meta b/meta
index 063172b..8d20da7 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 64199f51a381b4d4b5f7315b70c469e03864f76d
-Head: 263eed84f16353fb704fac8338422fb3f7b863fb
+Previous: 787273f6143b548e5f11f11b3c3c95fa45db9c4c
+Head: 373cd1281ba686c2fef8b1307137684c40b28058
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
-Unapplied:
   manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
+Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=787273f6143b548e5f11f11b3c3c95fa45db9c4c

commit 787273f6143b548e5f11f11b3c3c95fa45db9c4c
Merge: 39cc60e 64199f5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:55:16 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=39cc60e0947495e98f5040aa9a7dc30327fec99e

commit 39cc60e0947495e98f5040aa9a7dc30327fec99e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:55:16 2013 -0300

    pop

diff --git a/meta b/meta
index 72f3a68..063172b 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 7ba5686bb79cef2c170433c89c68e7575d7668c4
-Head: 373cd1281ba686c2fef8b1307137684c40b28058
+Previous: 64199f51a381b4d4b5f7315b70c469e03864f76d
+Head: 263eed84f16353fb704fac8338422fb3f7b863fb
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
-  manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Unapplied:
+  manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=64199f51a381b4d4b5f7315b70c469e03864f76d

commit 64199f51a381b4d4b5f7315b70c469e03864f76d
Merge: 588c9a7 7ba5686
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:51:16 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=588c9a7cd0103760ac51eb8b74b41973dea845a4

commit 588c9a7cd0103760ac51eb8b74b41973dea845a4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:51:16 2013 -0300

    push

diff --git a/meta b/meta
index d9759ea..72f3a68 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 08970c2b94024e0d230a0d776f1871063f8e6c88
-Head: 263eed84f16353fb704fac8338422fb3f7b863fb
+Previous: 7ba5686bb79cef2c170433c89c68e7575d7668c4
+Head: 373cd1281ba686c2fef8b1307137684c40b28058
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
-Unapplied:
   manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
+Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7ba5686bb79cef2c170433c89c68e7575d7668c4

commit 7ba5686bb79cef2c170433c89c68e7575d7668c4
Merge: 061c868 08970c2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:51:09 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=061c8681a056597b8bbd858c0f4f02319cf9bf9d

commit 061c8681a056597b8bbd858c0f4f02319cf9bf9d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:51:09 2013 -0300

    pop

diff --git a/meta b/meta
index 982c922..d9759ea 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 341e0af39e89972732f33b2256ec2fbf58b1e847
-Head: 373cd1281ba686c2fef8b1307137684c40b28058
+Previous: 08970c2b94024e0d230a0d776f1871063f8e6c88
+Head: 263eed84f16353fb704fac8338422fb3f7b863fb
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
-  manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Unapplied:
+  manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=08970c2b94024e0d230a0d776f1871063f8e6c88

commit 08970c2b94024e0d230a0d776f1871063f8e6c88
Merge: d313dd8 373cd12 341e0af
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:28 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d313dd81e9656f121dc256f8de0ed9330b50b7d2

commit d313dd81e9656f121dc256f8de0ed9330b50b7d2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:28 2013 -0300

    push

diff --git a/meta b/meta
index 8fa23ce..982c922 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 6d47d3e1ad0ad4cbb739a9566bab050b7332879f
-Head: 263eed84f16353fb704fac8338422fb3f7b863fb
+Previous: 341e0af39e89972732f33b2256ec2fbf58b1e847
+Head: 373cd1281ba686c2fef8b1307137684c40b28058
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
+  manual-document-mt-safety-wip.patch: 373cd1281ba686c2fef8b1307137684c40b28058
 Unapplied:
-  manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/manual-document-mt-safety-wip.patch b/patches/manual-document-mt-safety-wip.patch
index 83ac8f5..403d0e3 100644
--- a/patches/manual-document-mt-safety-wip.patch
+++ b/patches/manual-document-mt-safety-wip.patch
@@ -1,4 +1,4 @@
-Bottom: 1f38562405d3b5dadb8c27bd94ec1cba5a2481da
+Bottom: a80e3502e79676408b83a0ee8d2c01161f2e1895
 Top:    7472b1dd7a8cc8760b98cd08cb7f8418374249ed
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
@@ -685,330 +685,6 @@ index ef90590..5c9f6f7 100644
  
  The function @code{des_setparity} changes the 64-bit @var{key}, stored
  packed in 8-bit bytes, to have odd parity by altering the low bits of
-diff --git a/manual/ctype.texi b/manual/ctype.texi
-index f05d509..ddf38ce 100644
---- a/manual/ctype.texi
-+++ b/manual/ctype.texi
-@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
- @comment ctype.h
- @comment ISO
- @deftypefun int islower (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c The is* macros call __ctype_b_loc to get the ctype array from the
-+@c current locale, and then index it by c.  __ctype_b_loc reads from
-+@c thread-local memory the (indirect) pointer to the ctype array, which
-+@c may involve one word access to the global locale object, if that's
-+@c the active locale for the thread, and the array, being part of the
-+@c locale data, is undeletable, so there's no thread-safety issue.
- Returns true if @var{c} is a lower-case letter.  The letter need not be
- from the Latin alphabet, any alphabet representable is valid.
- @end deftypefun
-@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
- @comment ctype.h
- @comment ISO
- @deftypefun int isupper (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is an upper-case letter.  The letter need not be
- from the Latin alphabet, any alphabet representable is valid.
- @end deftypefun
-@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
- @comment ctype.h
- @comment ISO
- @deftypefun int isalpha (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is an alphabetic character (a letter).  If
- @code{islower} or @code{isupper} is true of a character, then
- @code{isalpha} is also true.
-@@ -97,6 +106,7 @@ additional characters.
- @comment ctype.h
- @comment ISO
- @deftypefun int isdigit (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
- @end deftypefun
- 
-@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
- @comment ctype.h
- @comment ISO
- @deftypefun int isalnum (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is an alphanumeric character (a letter or
- number); in other words, if either @code{isalpha} or @code{isdigit} is
- true of a character, then @code{isalnum} is also true.
-@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
- @comment ctype.h
- @comment ISO
- @deftypefun int isxdigit (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a hexadecimal digit.
- Hexadecimal digits include the normal decimal digits @samp{0} through
- @samp{9} and the letters @samp{A} through @samp{F} and
-@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
- @comment ctype.h
- @comment ISO
- @deftypefun int ispunct (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a punctuation character.
- This means any printing character that is not alphanumeric or a space
- character.
-@@ -132,6 +145,7 @@ character.
- @comment ctype.h
- @comment ISO
- @deftypefun int isspace (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
- @code{"C"} locale, @code{isspace} returns true for only the standard
- whitespace characters:
-@@ -161,6 +175,7 @@ vertical tab
- @comment ctype.h
- @comment ISO
- @deftypefun int isblank (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a blank character; that is, a space or a tab.
- This function was originally a GNU extension, but was added in @w{ISO C99}.
- @end deftypefun
-@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
- @comment ctype.h
- @comment ISO
- @deftypefun int isgraph (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a graphic character; that is, a character
- that has a glyph associated with it.  The whitespace characters are not
- considered graphic.
-@@ -178,6 +194,7 @@ considered graphic.
- @comment ctype.h
- @comment ISO
- @deftypefun int isprint (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a printing character.  Printing characters
- include all the graphic characters, plus the space (@samp{ }) character.
- @end deftypefun
-@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
- @comment ctype.h
- @comment ISO
- @deftypefun int iscntrl (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a control character (that is, a character that
- is not a printing character).
- @end deftypefun
-@@ -194,6 +212,7 @@ is not a printing character).
- @comment ctype.h
- @comment SVID, BSD
- @deftypefun int isascii (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
- into the US/UK ASCII character set.  This function is a BSD extension
- and is also an SVID extension.
-@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
- @comment ctype.h
- @comment ISO
- @deftypefun int tolower (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c The to* macros/functions call different functions that use different
-+@c arrays than those of__ctype_b_loc, but the access patterns and
-+@c thus safety guarantees are the same.
- If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
- lower-case letter.  If @var{c} is not an upper-case letter,
- @var{c} is returned unchanged.
-@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
- @comment ctype.h
- @comment ISO
- @deftypefun int toupper (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
- upper-case letter.  Otherwise @var{c} is returned unchanged.
- @end deftypefun
-@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
- @comment ctype.h
- @comment SVID, BSD
- @deftypefun int toascii (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function converts @var{c} to a 7-bit @code{unsigned char} value
- that fits into the US/UK ASCII character set, by clearing the high-order
- bits.  This function is a BSD extension and is also an SVID extension.
-@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
- @comment ctype.h
- @comment SVID
- @deftypefun int _tolower (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is identical to @code{tolower}, and is provided for compatibility
- with the SVID.  @xref{SVID}.@refill
- @end deftypefun
-@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
- @comment ctype.h
- @comment SVID
- @deftypefun int _toupper (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is identical to @code{toupper}, and is provided for compatibility
- with the SVID.
- @end deftypefun
-@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wctype_t wctype (const char *@var{property})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
-+@c Although the source code of wctype contains multiple references to
-+@c the locale, that could each reference different locale_data objects
-+@c should the global locale object change while active, the compiler can
-+@c and does combine them all into a single dereference that resolves
-+@c once to the LCTYPE locale object used throughout the function, so it
-+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
-+@c the resolved locale_data object to make it visibly safe instead of
-+@c safe only under compiler optimizations.
- The @code{wctype} returns a value representing a class of wide
- characters which is identified by the string @var{property}.  Beside
- some standard properties each locale can define its own ones.  In case
-@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c The compressed lookup table returned by wctype is read-only.
- This function returns a nonzero value if @var{wc} is in the character
- class specified by @var{desc}.  @var{desc} must previously be returned
- by a successful call to @code{wctype}.
-@@ -350,6 +388,15 @@ standard classes.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswalnum (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
-+@c The implicit wctype call in the isw* functions is actually an
-+@c optimized version because the category has a known offset, but the
-+@c wctype is equally safe when optimized, unsafe if not optimized.
-+@c Since it's not a macro, and we always optimize, it's fine.  The test
-+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
-+@c bring any other safety issues: the test does not depend on the
-+@c locale, and each path after the decision resolves the locale object
-+@c only once.
- This function returns a nonzero value if @var{wc} is an alphanumeric
- character (a letter or number); in other words, if either @code{iswalpha}
- or @code{iswdigit} is true of a character, then @code{iswalnum} is also
-@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswalpha (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is an alphabetic character (a letter).  If
- @code{iswlower} or @code{iswupper} is true of a character, then
- @code{iswalpha} is also true.
-@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswcntrl (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a control character (that is, a character that
- is not a printing character).
- 
-@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswdigit (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
- Please note that this function does not only return a nonzero value for
- @emph{decimal} digits, but for all kinds of digits.  A consequence is
-@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswgraph (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a graphic character; that is, a character
- that has a glyph associated with it.  The whitespace characters are not
- considered graphic.
-@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
- @comment ctype.h
- @comment ISO
- @deftypefun int iswlower (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a lower-case letter.  The letter need not be
- from the Latin alphabet, any alphabet representable is valid.
- 
-@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswprint (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a printing character.  Printing characters
- include all the graphic characters, plus the space (@samp{ }) character.
- 
-@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswpunct (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a punctuation character.
- This means any printing character that is not alphanumeric or a space
- character.
-@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswspace (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
- @code{"C"} locale, @code{iswspace} returns true for only the standard
- whitespace characters:
-@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswupper (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is an upper-case letter.  The letter need not be
- from the Latin alphabet, any alphabet representable is valid.
- 
-@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswxdigit (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a hexadecimal digit.
- Hexadecimal digits include the normal decimal digits @samp{0} through
- @samp{9} and the letters @samp{A} through @samp{F} and
-@@ -597,6 +654,7 @@ characters as well.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswblank (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a blank character; that is, a space or a tab.
- This function was originally a GNU extension, but was added in @w{ISO C99}.
- It is declared in @file{wchar.h}.
-@@ -691,7 +749,8 @@ This type is defined in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wctrans_t wctrans (const char *@var{property})
--@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
-+@c Similar implementation, same caveats as wctype.
- The @code{wctrans} function has to be used to find out whether a named
- mapping is defined in the current locale selected for the
- @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
-@@ -714,7 +773,8 @@ These functions are declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
--@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Same caveats as iswctype.
- @code{towctrans} maps the input character @var{wc}
- according to the rules of the mapping for which @var{desc} is a
- descriptor, and returns the value it finds.  @var{desc} must be
-@@ -732,6 +792,9 @@ for them.
- @comment wctype.h
- @comment ISO
- @deftypefun wint_t towlower (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
-+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
-+@c table.
- If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
- lower-case letter.  If @var{wc} is not an upper-case letter,
- @var{wc} is returned unchanged.
-@@ -751,6 +814,7 @@ This function is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wint_t towupper (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
- upper-case letter.  Otherwise @var{wc} is returned unchanged.
- 
 diff --git a/manual/debug.texi b/manual/debug.texi
 index 1db9c18..ce0c263 100644
 --- a/manual/debug.texi

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=373cd1281ba686c2fef8b1307137684c40b28058

commit 373cd1281ba686c2fef8b1307137684c40b28058
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/???.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.
diff --git a/manual/arith.texi b/manual/arith.texi
index 833e0c9..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -323,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -359,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -373,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -384,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -395,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -2443,6 +2448,32 @@ as well.
 @safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
 @c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and
diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the
diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of
diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor
diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..2244025 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).  
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat
diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the
diff --git a/manual/intro.texi b/manual/intro.texi
index 2630a77..e47832c 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -262,6 +262,28 @@ if the effective thread-local locale is not the global locale object
 @code{setlocale} should not be called while these functions are active.
 
 
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
 @item @code{uunguard}
 @cindex uunguard
 
@@ -291,6 +313,42 @@ AS-Safe behavior, callers must ensure that the objects passed in are not
 modified concurrently by other threads or signal handlers.
 
 
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
 @end itemize
 
 
@@ -305,11 +363,37 @@ as follows:
 
 Functions annotated with @code{staticbuf} use internal static buffers or
 variables in ways that may cause concurrent calls to interfere
-destructively.
+destructively.  
 
 These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
 offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
 
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.  
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
 
 @item @code{fdleak}
 @cindex fdleak
@@ -390,9 +474,8 @@ For the reasons above, functions that leak locks are all AC-Unsafe.
 Functions marked with @code{selfdeadlock} take a non-recursive lock to
 ensure MT-Safety while modifying data structures guarded by the lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the result is a deadlock.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid a deadlock if any signal handler might need
@@ -406,10 +489,9 @@ Functions marked with @code{asynconsist} take a recursive lock to ensure
 MT-Safety while accessing or modifying data structures guarded by the
 lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the latter function may observe a partially updated,
-inconsistent data structure, and misbehave.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid the misbehavior that may ensue if any signal
@@ -444,6 +526,21 @@ Disabling asynchronous cancelation while calling such functions is the
 only safe way to avoid the misbehavior that may ensure if the thread is
 canceled while the function is running.
 
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
 
 @item @code{simfpu}
 @cindex simfpu
diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the
diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,
diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym
diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3
diff --git a/manual/locale.texi b/manual/locale.texi
index 323268d..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
-@safety{@mtunsafe{uunguard}}
-@c This function is MT-Safe, but uses of the global locale object are
-@c unguarded in functions that ought to be MT-Safe, so we're ruling out
-@c the use of this function once threads are started.
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.
diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with
diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 
diff --git a/manual/stdio.texi b/manual/stdio.texi
index 7809dd4..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 @c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
@@ -267,7 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
 @c After fclose, it is undefined behavior to use the stream it points
 @c to.  Therefore, one must only call fclose when the stream is
 @c otherwise unused.  Concurrent uses started before will complete
@@ -2662,6 +2662,42 @@ pointer @var{ap}.
 @c case of cancellation.  This doesn't make it unsafe, but cancelling it
 @c may leak memory.  The unguarded use of __printf_function_table is
 @c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
 @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
 @c bringing with it additional potential for async trouble with
 @c list_all_lock.
@@ -5076,7 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
-@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -5192,7 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.
diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield
diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=341e0af39e89972732f33b2256ec2fbf58b1e847

commit 341e0af39e89972732f33b2256ec2fbf58b1e847
Merge: 22369f6 6d47d3e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:24 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=22369f6227522e2f4407b9abce208678d6b25c56

commit 22369f6227522e2f4407b9abce208678d6b25c56
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:24 2013 -0300

    rename

diff --git a/meta b/meta
index 17b9635..8fa23ce 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 0b75a41fcc67c6881f3b617255ab07bf329d5cac
+Previous: 6d47d3e1ad0ad4cbb739a9566bab050b7332879f
 Head: 263eed84f16353fb704fac8338422fb3f7b863fb
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
@@ -9,7 +9,7 @@ Applied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
-  thread-safety-documentation: 263eed84f16353fb704fac8338422fb3f7b863fb
+  manual-document-mt-safety-ctype.patch: 263eed84f16353fb704fac8338422fb3f7b863fb
 Unapplied:
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/thread-safety-documentation b/patches/manual-document-mt-safety-ctype.patch
similarity index 100%
rename from patches/thread-safety-documentation
rename to patches/manual-document-mt-safety-ctype.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=263eed84f16353fb704fac8338422fb3f7b863fb

commit 263eed84f16353fb704fac8338422fb3f7b863fb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6d47d3e1ad0ad4cbb739a9566bab050b7332879f

commit 6d47d3e1ad0ad4cbb739a9566bab050b7332879f
Merge: bd16efa 263eed8 0b75a41
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:20 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bd16efad2e7d1525257f2187add8a7387b61ec3a

commit bd16efad2e7d1525257f2187add8a7387b61ec3a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:20 2013 -0300

    push

diff --git a/meta b/meta
index b6d3dfd..17b9635 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 94bcb95c7761ccb5002d8edda88363348254fc9b
-Head: edeb8dbee9aa4cdef77764287545e16903acea6d
+Previous: 0b75a41fcc67c6881f3b617255ab07bf329d5cac
+Head: 263eed84f16353fb704fac8338422fb3f7b863fb
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -9,7 +9,7 @@ Applied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
+  thread-safety-documentation: 263eed84f16353fb704fac8338422fb3f7b863fb
 Unapplied:
-  thread-safety-documentation: 037925e5b8ba3712e9e445a6aa776f239cf442d6
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0b75a41fcc67c6881f3b617255ab07bf329d5cac

commit 0b75a41fcc67c6881f3b617255ab07bf329d5cac
Merge: 7d52af6 94bcb95
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:17 2013 -0300

    delete


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7d52af62bb639f5544bca7e8b69d8f3345c62534

commit 7d52af62bb639f5544bca7e8b69d8f3345c62534
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:17 2013 -0300

    delete

diff --git a/meta b/meta
index a644764..b6d3dfd 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 21f52a44eea40f61c3498a5656d52bdcd2dec5a3
+Previous: 94bcb95c7761ccb5002d8edda88363348254fc9b
 Head: edeb8dbee9aa4cdef77764287545e16903acea6d
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
@@ -10,7 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
 Unapplied:
-  manual-document-mt-safety-ctype.patch: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
   thread-safety-documentation: 037925e5b8ba3712e9e445a6aa776f239cf442d6
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
deleted file mode 100644
index 2a75975..0000000
--- a/patches/manual-document-mt-safety-ctype.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Bottom: 493d959bda4db41836ea91b2b9685b47ab733575
-Top:    493d959bda4db41836ea91b2b9685b47ab733575
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 15:29:41 -0300
-
-Thread safety documentation.
-
-for ChangeLog
-
-	* manual/ctype.texi: Document thread safety properties.
-
-
----
-
-

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=94bcb95c7761ccb5002d8edda88363348254fc9b

commit 94bcb95c7761ccb5002d8edda88363348254fc9b
Merge: b8254dd 21f52a4
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:13 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b8254dd65ab141ad4ff97a3ef57353bcd6128cc1

commit b8254dd65ab141ad4ff97a3ef57353bcd6128cc1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:13 2013 -0300

    pop

diff --git a/meta b/meta
index 36e927d..a644764 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 01ba6509e76c37c53f223aa41a356f828ae95dd9
-Head: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
+Previous: 21f52a44eea40f61c3498a5656d52bdcd2dec5a3
+Head: edeb8dbee9aa4cdef77764287545e16903acea6d
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -9,8 +9,8 @@ Applied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
-  manual-document-mt-safety-ctype.patch: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
 Unapplied:
+  manual-document-mt-safety-ctype.patch: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
   thread-safety-documentation: 037925e5b8ba3712e9e445a6aa776f239cf442d6
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=21f52a44eea40f61c3498a5656d52bdcd2dec5a3

commit 21f52a44eea40f61c3498a5656d52bdcd2dec5a3
Merge: ca3235f 01ba650
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:11 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ca3235f0c5bc0ab96bb1731e5330d87e7ffc3ba0

commit ca3235f0c5bc0ab96bb1731e5330d87e7ffc3ba0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:50:11 2013 -0300

    pop

diff --git a/meta b/meta
index 9037bb4..36e927d 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b204cd705feb2a980347509a610cf2c69c94d0c4
-Head: 037925e5b8ba3712e9e445a6aa776f239cf442d6
+Previous: 01ba6509e76c37c53f223aa41a356f828ae95dd9
+Head: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,7 +10,7 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
-  thread-safety-documentation: 037925e5b8ba3712e9e445a6aa776f239cf442d6
 Unapplied:
+  thread-safety-documentation: 037925e5b8ba3712e9e445a6aa776f239cf442d6
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=01ba6509e76c37c53f223aa41a356f828ae95dd9

commit 01ba6509e76c37c53f223aa41a356f828ae95dd9
Merge: b990842 b204cd7 037925e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:34 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b990842c0048131094b4c998a42878d030656563

commit b990842c0048131094b4c998a42878d030656563
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:34 2013 -0300

    push

diff --git a/meta b/meta
index bda615a..9037bb4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: d23f7c10ca80160c18a6244ffd6bb1063ee0fdc4
-Head: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
+Previous: b204cd705feb2a980347509a610cf2c69c94d0c4
+Head: 037925e5b8ba3712e9e445a6aa776f239cf442d6
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,7 +10,7 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
+  thread-safety-documentation: 037925e5b8ba3712e9e445a6aa776f239cf442d6
 Unapplied:
-  thread-safety-documentation: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=037925e5b8ba3712e9e445a6aa776f239cf442d6

commit 037925e5b8ba3712e9e445a6aa776f239cf442d6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b204cd705feb2a980347509a610cf2c69c94d0c4

commit b204cd705feb2a980347509a610cf2c69c94d0c4
Merge: 93ded1a d23f7c1 c4d8656
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:29 2013 -0300

    float


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=93ded1a7958ba004b87ebe83c131cd7b4596fe27

commit 93ded1a7958ba004b87ebe83c131cd7b4596fe27
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:29 2013 -0300

    float

diff --git a/meta b/meta
index e19bd6a..bda615a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: ded1cbad68c823f7e5a5fb954335efc3deea5099
-Head: edeb8dbee9aa4cdef77764287545e16903acea6d
+Previous: d23f7c10ca80160c18a6244ffd6bb1063ee0fdc4
+Head: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -9,8 +9,8 @@ Applied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
+  manual-document-mt-safety-ctype.patch: c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
 Unapplied:
   thread-safety-documentation: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
-  manual-document-mt-safety-ctype.patch: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index 81dc143..2a75975 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: a80e3502e79676408b83a0ee8d2c01161f2e1895
-Top:    a80e3502e79676408b83a0ee8d2c01161f2e1895
+Bottom: 493d959bda4db41836ea91b2b9685b47ab733575
+Top:    493d959bda4db41836ea91b2b9685b47ab733575
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c

commit c4d86565aa8b23d5d5bbf14be5a4de9e3becd01c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d23f7c10ca80160c18a6244ffd6bb1063ee0fdc4

commit d23f7c10ca80160c18a6244ffd6bb1063ee0fdc4
Merge: 9be9722 ded1cba
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:22 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=9be97221622fd917db1c217b6ca09f5005021d33

commit 9be97221622fd917db1c217b6ca09f5005021d33
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:22 2013 -0300

    pop

diff --git a/meta b/meta
index aa02944..e19bd6a 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 1f8aef10fb0532c119933b7180448195cae41286
-Head: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
+Previous: ded1cbad68c823f7e5a5fb954335efc3deea5099
+Head: edeb8dbee9aa4cdef77764287545e16903acea6d
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -9,8 +9,8 @@ Applied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
-  thread-safety-documentation: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
 Unapplied:
+  thread-safety-documentation: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
   manual-document-mt-safety-ctype.patch: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ded1cbad68c823f7e5a5fb954335efc3deea5099

commit ded1cbad68c823f7e5a5fb954335efc3deea5099
Merge: 8c29027 1f8aef1
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:19 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8c29027c5903c5b06b3b047951e446c8323a5231

commit 8c29027c5903c5b06b3b047951e446c8323a5231
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:19 2013 -0300

    pop

diff --git a/meta b/meta
index 7678427..aa02944 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 42127c6adf6b3fb40b817039381af0c76d6cd909
-Head: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
+Previous: 1f8aef10fb0532c119933b7180448195cae41286
+Head: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,7 +10,7 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   thread-safety-documentation: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
-  manual-document-mt-safety-ctype.patch: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
 Unapplied:
+  manual-document-mt-safety-ctype.patch: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1f8aef10fb0532c119933b7180448195cae41286

commit 1f8aef10fb0532c119933b7180448195cae41286
Merge: 13a2bc4 42127c6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:04 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=13a2bc492778d981dd7a1abc62b99bcea4155bad

commit 13a2bc492778d981dd7a1abc62b99bcea4155bad
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:04 2013 -0300

    refresh

diff --git a/meta b/meta
index 2805221..7678427 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 90cb66ac53976afa5ea21d24129a11802391cef4
-Head: da0b8049fb1c9a2e5ab1163bbc2af928add275a3
+Previous: 42127c6adf6b3fb40b817039381af0c76d6cd909
+Head: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -11,7 +11,6 @@ Applied:
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   thread-safety-documentation: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
   manual-document-mt-safety-ctype.patch: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
-  refresh-temp: da0b8049fb1c9a2e5ab1163bbc2af928add275a3
 Unapplied:
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index a9314fd..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,10 +0,0 @@
-Bottom: a80e3502e79676408b83a0ee8d2c01161f2e1895
-Top:    a80e3502e79676408b83a0ee8d2c01161f2e1895
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 21:49:03 -0300
-
-Refresh of manual-document-mt-safety-ctype.patch
-
----
-
-

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=42127c6adf6b3fb40b817039381af0c76d6cd909

commit 42127c6adf6b3fb40b817039381af0c76d6cd909
Merge: 35ad4eb da0b804 90cb66a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:04 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=35ad4ebdd4491aadf7c92045a079db207b038d65

commit 35ad4ebdd4491aadf7c92045a079db207b038d65
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:04 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index f235c98..2805221 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: d8fff601b7c4051337384975bb7fdbd1c076b15b
-Head: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
+Previous: 90cb66ac53976afa5ea21d24129a11802391cef4
+Head: da0b8049fb1c9a2e5ab1163bbc2af928add275a3
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -11,6 +11,7 @@ Applied:
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   thread-safety-documentation: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
   manual-document-mt-safety-ctype.patch: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
+  refresh-temp: da0b8049fb1c9a2e5ab1163bbc2af928add275a3
 Unapplied:
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..a9314fd
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,10 @@
+Bottom: a80e3502e79676408b83a0ee8d2c01161f2e1895
+Top:    a80e3502e79676408b83a0ee8d2c01161f2e1895
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 21:49:03 -0300
+
+Refresh of manual-document-mt-safety-ctype.patch
+
+---
+
+

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=da0b8049fb1c9a2e5ab1163bbc2af928add275a3

commit da0b8049fb1c9a2e5ab1163bbc2af928add275a3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:49:03 2013 -0300

    Refresh of manual-document-mt-safety-ctype.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=90cb66ac53976afa5ea21d24129a11802391cef4

commit 90cb66ac53976afa5ea21d24129a11802391cef4
Merge: eb807d7 d8fff60 4b596f7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:48:22 2013 -0300

    push (CONFLICT)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=eb807d7e094a4927569dbd237278a0319b1cab1a

commit eb807d7e094a4927569dbd237278a0319b1cab1a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:48:22 2013 -0300

    push (CONFLICT)

diff --git a/meta b/meta
index 72174f4..f235c98 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 5287c793843e946fd2f478b0a2785249cc640f9c
-Head: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
+Previous: d8fff601b7c4051337384975bb7fdbd1c076b15b
+Head: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,7 +10,7 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   thread-safety-documentation: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
+  manual-document-mt-safety-ctype.patch: 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
 Unapplied:
-  manual-document-mt-safety-ctype.patch: b1da9d49b81e23d658de4369181599c33e3acd9e
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index 40dba95..81dc143 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
-Bottom: 493d959bda4db41836ea91b2b9685b47ab733575
-Top:    eb7c2702254befc63994aae3ba24a286ee829464
+Bottom: a80e3502e79676408b83a0ee8d2c01161f2e1895
+Top:    a80e3502e79676408b83a0ee8d2c01161f2e1895
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 
@@ -12,779 +12,4 @@ for ChangeLog
 
 ---
 
-diff --git a/manual/ctype.texi b/manual/ctype.texi
-deleted file mode 100644
-index 3d13571..0000000
---- a/manual/ctype.texi
-+++ /dev/null
-@@ -1,770 +0,0 @@
--@node Character Handling, String and Array Utilities, Memory, Top
--@c %MENU% Character testing and conversion functions
--@chapter Character Handling
--
--Programs that work with characters and strings often need to classify a
--character---is it alphabetic, is it a digit, is it whitespace, and so
--on---and perform case conversion operations on characters.  The
--functions in the header file @file{ctype.h} are provided for this
--purpose.
--@pindex ctype.h
--
--Since the choice of locale and character set can alter the
--classifications of particular character codes, all of these functions
--are affected by the current locale.  (More precisely, they are affected
--by the locale currently selected for character classification---the
--@code{LC_CTYPE} category; see @ref{Locale Categories}.)
--
--The @w{ISO C} standard specifies two different sets of functions.  The
--one set works on @code{char} type characters, the other one on
--@code{wchar_t} wide characters (@pxref{Extended Char Intro}).
--
--@menu
--* Classification of Characters::       Testing whether characters are
--			                letters, digits, punctuation, etc.
--
--* Case Conversion::                    Case mapping, and the like.
--* Classification of Wide Characters::  Character class determination for
--                                        wide characters.
--* Using Wide Char Classes::            Notes on using the wide character
--                                        classes.
--* Wide Character Case Conversion::     Mapping of wide characters.
--@end menu
--
--@node Classification of Characters, Case Conversion,  , Character Handling
--@section Classification of Characters
--@cindex character testing
--@cindex classification of characters
--@cindex predicates on characters
--@cindex character predicates
--
--This section explains the library functions for classifying characters.
--For example, @code{isalpha} is the function to test for an alphabetic
--character.  It takes one argument, the character to test, and returns a
--nonzero integer if the character is alphabetic, and zero otherwise.  You
--would use it like this:
--
--@smallexample
--if (isalpha (c))
--  printf ("The character `%c' is alphabetic.\n", c);
--@end smallexample
--
--Each of the functions in this section tests for membership in a
--particular class of characters; each has a name starting with @samp{is}.
--Each of them takes one argument, which is a character to test, and
--returns an @code{int} which is treated as a boolean value.  The
--character argument is passed as an @code{int}, and it may be the
--constant value @code{EOF} instead of a real character.
--
--The attributes of any given character can vary between locales.
--@xref{Locales}, for more information on locales.@refill
--
--These functions are declared in the header file @file{ctype.h}.
--@pindex ctype.h
--
--@cindex lower-case character
--@comment ctype.h
--@comment ISO
--@deftypefun int islower (int @var{c})
--Returns true if @var{c} is a lower-case letter.  The letter need not be
--from the Latin alphabet, any alphabet representable is valid.
--@end deftypefun
--
--@cindex upper-case character
--@comment ctype.h
--@comment ISO
--@deftypefun int isupper (int @var{c})
--Returns true if @var{c} is an upper-case letter.  The letter need not be
--from the Latin alphabet, any alphabet representable is valid.
--@end deftypefun
--
--@cindex alphabetic character
--@comment ctype.h
--@comment ISO
--@deftypefun int isalpha (int @var{c})
--Returns true if @var{c} is an alphabetic character (a letter).  If
--@code{islower} or @code{isupper} is true of a character, then
--@code{isalpha} is also true.
--
--In some locales, there may be additional characters for which
--@code{isalpha} is true---letters which are neither upper case nor lower
--case.  But in the standard @code{"C"} locale, there are no such
--additional characters.
--@end deftypefun
--
--@cindex digit character
--@cindex decimal digit character
--@comment ctype.h
--@comment ISO
--@deftypefun int isdigit (int @var{c})
--Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
--@end deftypefun
--
--@cindex alphanumeric character
--@comment ctype.h
--@comment ISO
--@deftypefun int isalnum (int @var{c})
--Returns true if @var{c} is an alphanumeric character (a letter or
--number); in other words, if either @code{isalpha} or @code{isdigit} is
--true of a character, then @code{isalnum} is also true.
--@end deftypefun
--
--@cindex hexadecimal digit character
--@comment ctype.h
--@comment ISO
--@deftypefun int isxdigit (int @var{c})
--Returns true if @var{c} is a hexadecimal digit.
--Hexadecimal digits include the normal decimal digits @samp{0} through
--@samp{9} and the letters @samp{A} through @samp{F} and
--@samp{a} through @samp{f}.
--@end deftypefun
--
--@cindex punctuation character
--@comment ctype.h
--@comment ISO
--@deftypefun int ispunct (int @var{c})
--Returns true if @var{c} is a punctuation character.
--This means any printing character that is not alphanumeric or a space
--character.
--@end deftypefun
--
--@cindex whitespace character
--@comment ctype.h
--@comment ISO
--@deftypefun int isspace (int @var{c})
--Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
--@code{"C"} locale, @code{isspace} returns true for only the standard
--whitespace characters:
--
--@table @code
--@item ' '
--space
--
--@item '\f'
--formfeed
--
--@item '\n'
--newline
--
--@item '\r'
--carriage return
--
--@item '\t'
--horizontal tab
--
--@item '\v'
--vertical tab
--@end table
--@end deftypefun
--
--@cindex blank character
--@comment ctype.h
--@comment ISO
--@deftypefun int isblank (int @var{c})
--Returns true if @var{c} is a blank character; that is, a space or a tab.
--This function was originally a GNU extension, but was added in @w{ISO C99}.
--@end deftypefun
--
--@cindex graphic character
--@comment ctype.h
--@comment ISO
--@deftypefun int isgraph (int @var{c})
--Returns true if @var{c} is a graphic character; that is, a character
--that has a glyph associated with it.  The whitespace characters are not
--considered graphic.
--@end deftypefun
--
--@cindex printing character
--@comment ctype.h
--@comment ISO
--@deftypefun int isprint (int @var{c})
--Returns true if @var{c} is a printing character.  Printing characters
--include all the graphic characters, plus the space (@samp{ }) character.
--@end deftypefun
--
--@cindex control character
--@comment ctype.h
--@comment ISO
--@deftypefun int iscntrl (int @var{c})
--Returns true if @var{c} is a control character (that is, a character that
--is not a printing character).
--@end deftypefun
--
--@cindex ASCII character
--@comment ctype.h
--@comment SVID, BSD
--@deftypefun int isascii (int @var{c})
--Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
--into the US/UK ASCII character set.  This function is a BSD extension
--and is also an SVID extension.
--@end deftypefun
--
--@node Case Conversion, Classification of Wide Characters, Classification of Characters, Character Handling
--@section Case Conversion
--@cindex character case conversion
--@cindex case conversion of characters
--@cindex converting case of characters
--
--This section explains the library functions for performing conversions
--such as case mappings on characters.  For example, @code{toupper}
--converts any character to upper case if possible.  If the character
--can't be converted, @code{toupper} returns it unchanged.
--
--These functions take one argument of type @code{int}, which is the
--character to convert, and return the converted character as an
--@code{int}.  If the conversion is not applicable to the argument given,
--the argument is returned unchanged.
--
--@strong{Compatibility Note:} In pre-@w{ISO C} dialects, instead of
--returning the argument unchanged, these functions may fail when the
--argument is not suitable for the conversion.  Thus for portability, you
--may need to write @code{islower(c) ? toupper(c) : c} rather than just
--@code{toupper(c)}.
--
--These functions are declared in the header file @file{ctype.h}.
--@pindex ctype.h
--
--@comment ctype.h
--@comment ISO
--@deftypefun int tolower (int @var{c})
--If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
--lower-case letter.  If @var{c} is not an upper-case letter,
--@var{c} is returned unchanged.
--@end deftypefun
--
--@comment ctype.h
--@comment ISO
--@deftypefun int toupper (int @var{c})
--If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
--upper-case letter.  Otherwise @var{c} is returned unchanged.
--@end deftypefun
--
--@comment ctype.h
--@comment SVID, BSD
--@deftypefun int toascii (int @var{c})
--This function converts @var{c} to a 7-bit @code{unsigned char} value
--that fits into the US/UK ASCII character set, by clearing the high-order
--bits.  This function is a BSD extension and is also an SVID extension.
--@end deftypefun
--
--@comment ctype.h
--@comment SVID
--@deftypefun int _tolower (int @var{c})
--This is identical to @code{tolower}, and is provided for compatibility
--with the SVID.  @xref{SVID}.@refill
--@end deftypefun
--
--@comment ctype.h
--@comment SVID
--@deftypefun int _toupper (int @var{c})
--This is identical to @code{toupper}, and is provided for compatibility
--with the SVID.
--@end deftypefun
--
--
--@node Classification of Wide Characters, Using Wide Char Classes, Case Conversion, Character Handling
--@section Character class determination for wide characters
--
--@w{Amendment 1} to @w{ISO C90} defines functions to classify wide
--characters.  Although the original @w{ISO C90} standard already defined
--the type @code{wchar_t}, no functions operating on them were defined.
--
--The general design of the classification functions for wide characters
--is more general.  It allows extensions to the set of available
--classifications, beyond those which are always available.  The POSIX
--standard specifies how extensions can be made, and this is already
--implemented in the @glibcadj{} implementation of the @code{localedef}
--program.
--
--The character class functions are normally implemented with bitsets,
--with a bitset per character.  For a given character, the appropriate
--bitset is read from a table and a test is performed as to whether a
--certain bit is set.  Which bit is tested for is determined by the
--class.
--
--For the wide character classification functions this is made visible.
--There is a type classification type defined, a function to retrieve this
--value for a given class, and a function to test whether a given
--character is in this class, using the classification value.  On top of
--this the normal character classification functions as used for
--@code{char} objects can be defined.
--
--@comment wctype.h
--@comment ISO
--@deftp {Data type} wctype_t
--The @code{wctype_t} can hold a value which represents a character class.
--The only defined way to generate such a value is by using the
--@code{wctype} function.
--
--@pindex wctype.h
--This type is defined in @file{wctype.h}.
--@end deftp
--
--@comment wctype.h
--@comment ISO
--@deftypefun wctype_t wctype (const char *@var{property})
--The @code{wctype} returns a value representing a class of wide
--characters which is identified by the string @var{property}.  Beside
--some standard properties each locale can define its own ones.  In case
--no property with the given name is known for the current locale
--selected for the @code{LC_CTYPE} category, the function returns zero.
--
--@noindent
--The properties known in every locale are:
--
--@multitable @columnfractions .25 .25 .25 .25
--@item
--@code{"alnum"} @tab @code{"alpha"} @tab @code{"cntrl"} @tab @code{"digit"}
--@item
--@code{"graph"} @tab @code{"lower"} @tab @code{"print"} @tab @code{"punct"}
--@item
--@code{"space"} @tab @code{"upper"} @tab @code{"xdigit"}
--@end multitable
--
--@pindex wctype.h
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--To test the membership of a character to one of the non-standard classes
--the @w{ISO C} standard defines a completely new function.
--
--@comment wctype.h
--@comment ISO
--@deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
--This function returns a nonzero value if @var{wc} is in the character
--class specified by @var{desc}.  @var{desc} must previously be returned
--by a successful call to @code{wctype}.
--
--@pindex wctype.h
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--To make it easier to use the commonly-used classification functions,
--they are defined in the C library.  There is no need to use
--@code{wctype} if the property string is one of the known character
--classes.  In some situations it is desirable to construct the property
--strings, and then it is important that @code{wctype} can also handle the
--standard classes.
--
--@cindex alphanumeric character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswalnum (wint_t @var{wc})
--This function returns a nonzero value if @var{wc} is an alphanumeric
--character (a letter or number); in other words, if either @code{iswalpha}
--or @code{iswdigit} is true of a character, then @code{iswalnum} is also
--true.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("alnum"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex alphabetic character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswalpha (wint_t @var{wc})
--Returns true if @var{wc} is an alphabetic character (a letter).  If
--@code{iswlower} or @code{iswupper} is true of a character, then
--@code{iswalpha} is also true.
--
--In some locales, there may be additional characters for which
--@code{iswalpha} is true---letters which are neither upper case nor lower
--case.  But in the standard @code{"C"} locale, there are no such
--additional characters.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("alpha"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex control character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswcntrl (wint_t @var{wc})
--Returns true if @var{wc} is a control character (that is, a character that
--is not a printing character).
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("cntrl"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex digit character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswdigit (wint_t @var{wc})
--Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
--Please note that this function does not only return a nonzero value for
--@emph{decimal} digits, but for all kinds of digits.  A consequence is
--that code like the following will @strong{not} work unconditionally for
--wide characters:
--
--@smallexample
--n = 0;
--while (iswdigit (*wc))
--  @{
--    n *= 10;
--    n += *wc++ - L'0';
--  @}
--@end smallexample
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("digit"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex graphic character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswgraph (wint_t @var{wc})
--Returns true if @var{wc} is a graphic character; that is, a character
--that has a glyph associated with it.  The whitespace characters are not
--considered graphic.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("graph"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex lower-case character
--@comment ctype.h
--@comment ISO
--@deftypefun int iswlower (wint_t @var{wc})
--Returns true if @var{wc} is a lower-case letter.  The letter need not be
--from the Latin alphabet, any alphabet representable is valid.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("lower"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex printing character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswprint (wint_t @var{wc})
--Returns true if @var{wc} is a printing character.  Printing characters
--include all the graphic characters, plus the space (@samp{ }) character.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("print"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex punctuation character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswpunct (wint_t @var{wc})
--Returns true if @var{wc} is a punctuation character.
--This means any printing character that is not alphanumeric or a space
--character.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("punct"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex whitespace character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswspace (wint_t @var{wc})
--Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
--@code{"C"} locale, @code{iswspace} returns true for only the standard
--whitespace characters:
--
--@table @code
--@item L' '
--space
--
--@item L'\f'
--formfeed
--
--@item L'\n'
--newline
--
--@item L'\r'
--carriage return
--
--@item L'\t'
--horizontal tab
--
--@item L'\v'
--vertical tab
--@end table
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("space"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex upper-case character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswupper (wint_t @var{wc})
--Returns true if @var{wc} is an upper-case letter.  The letter need not be
--from the Latin alphabet, any alphabet representable is valid.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("upper"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex hexadecimal digit character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswxdigit (wint_t @var{wc})
--Returns true if @var{wc} is a hexadecimal digit.
--Hexadecimal digits include the normal decimal digits @samp{0} through
--@samp{9} and the letters @samp{A} through @samp{F} and
--@samp{a} through @samp{f}.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("xdigit"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@Theglibc{} also provides a function which is not defined in the
--@w{ISO C} standard but which is available as a version for single byte
--characters as well.
--
--@cindex blank character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswblank (wint_t @var{wc})
--Returns true if @var{wc} is a blank character; that is, a space or a tab.
--This function was originally a GNU extension, but was added in @w{ISO C99}.
--It is declared in @file{wchar.h}.
--@end deftypefun
--
--@node Using Wide Char Classes, Wide Character Case Conversion, Classification of Wide Characters, Character Handling
--@section Notes on using the wide character classes
--
--The first note is probably not astonishing but still occasionally a
--cause of problems.  The @code{isw@var{XXX}} functions can be implemented
--using macros and in fact, @theglibc{} does this.  They are still
--available as real functions but when the @file{wctype.h} header is
--included the macros will be used.  This is the same as the
--@code{char} type versions of these functions.
--
--The second note covers something new.  It can be best illustrated by a
--(real-world) example.  The first piece of code is an excerpt from the
--original code.  It is truncated a bit but the intention should be clear.
--
--@smallexample
--int
--is_in_class (int c, const char *class)
--@{
--  if (strcmp (class, "alnum") == 0)
--    return isalnum (c);
--  if (strcmp (class, "alpha") == 0)
--    return isalpha (c);
--  if (strcmp (class, "cntrl") == 0)
--    return iscntrl (c);
--  @dots{}
--  return 0;
--@}
--@end smallexample
--
--Now, with the @code{wctype} and @code{iswctype} you can avoid the
--@code{if} cascades, but rewriting the code as follows is wrong:
--
--@smallexample
--int
--is_in_class (int c, const char *class)
--@{
--  wctype_t desc = wctype (class);
--  return desc ? iswctype ((wint_t) c, desc) : 0;
--@}
--@end smallexample
--
--The problem is that it is not guaranteed that the wide character
--representation of a single-byte character can be found using casting.
--In fact, usually this fails miserably.  The correct solution to this
--problem is to write the code as follows:
--
--@smallexample
--int
--is_in_class (int c, const char *class)
--@{
--  wctype_t desc = wctype (class);
--  return desc ? iswctype (btowc (c), desc) : 0;
--@}
--@end smallexample
--
--@xref{Converting a Character}, for more information on @code{btowc}.
--Note that this change probably does not improve the performance
--of the program a lot since the @code{wctype} function still has to make
--the string comparisons.  It gets really interesting if the
--@code{is_in_class} function is called more than once for the
--same class name.  In this case the variable @var{desc} could be computed
--once and reused for all the calls.  Therefore the above form of the
--function is probably not the final one.
--
--
--@node Wide Character Case Conversion, , Using Wide Char Classes, Character Handling
--@section Mapping of wide characters.
--
--The classification functions are also generalized by the @w{ISO C}
--standard.  Instead of just allowing the two standard mappings, a
--locale can contain others.  Again, the @code{localedef} program
--already supports generating such locale data files.
--
--@comment wctype.h
--@comment ISO
--@deftp {Data Type} wctrans_t
--This data type is defined as a scalar type which can hold a value
--representing the locale-dependent character mapping.  There is no way to
--construct such a value apart from using the return value of the
--@code{wctrans} function.
--
--@pindex wctype.h
--@noindent
--This type is defined in @file{wctype.h}.
--@end deftp
--
--@comment wctype.h
--@comment ISO
--@deftypefun wctrans_t wctrans (const char *@var{property})
--The @code{wctrans} function has to be used to find out whether a named
--mapping is defined in the current locale selected for the
--@code{LC_CTYPE} category.  If the returned value is non-zero, you can use
--it afterwards in calls to @code{towctrans}.  If the return value is
--zero no such mapping is known in the current locale.
--
--Beside locale-specific mappings there are two mappings which are
--guaranteed to be available in every locale:
--
--@multitable @columnfractions .5 .5
--@item
--@code{"tolower"} @tab @code{"toupper"}
--@end multitable
--
--@pindex wctype.h
--@noindent
--These functions are declared in @file{wctype.h}.
--@end deftypefun
--
--@comment wctype.h
--@comment ISO
--@deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
--@code{towctrans} maps the input character @var{wc}
--according to the rules of the mapping for which @var{desc} is a
--descriptor, and returns the value it finds.  @var{desc} must be
--obtained by a successful call to @code{wctrans}.
--
--@pindex wctype.h
--@noindent
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--For the generally available mappings, the @w{ISO C} standard defines
--convenient shortcuts so that it is not necessary to call @code{wctrans}
--for them.
--
--@comment wctype.h
--@comment ISO
--@deftypefun wint_t towlower (wint_t @var{wc})
--If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
--lower-case letter.  If @var{wc} is not an upper-case letter,
--@var{wc} is returned unchanged.
--
--@noindent
--@code{towlower} can be implemented using
--
--@smallexample
--towctrans (wc, wctrans ("tolower"))
--@end smallexample
--
--@pindex wctype.h
--@noindent
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--@comment wctype.h
--@comment ISO
--@deftypefun wint_t towupper (wint_t @var{wc})
--If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
--upper-case letter.  Otherwise @var{wc} is returned unchanged.
--
--@noindent
--@code{towupper} can be implemented using
--
--@smallexample
--towctrans (wc, wctrans ("toupper"))
--@end smallexample
--
--@pindex wctype.h
--@noindent
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--The same warnings given in the last section for the use of the wide
--character classification functions apply here.  It is not possible to
--simply cast a @code{char} type value to a @code{wint_t} and use it as an
--argument to @code{towctrans} calls.
+

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368

commit 4b596f7cb8d6e09ce5f72cb1cb02bc0ed0b31368
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d8fff601b7c4051337384975bb7fdbd1c076b15b

commit d8fff601b7c4051337384975bb7fdbd1c076b15b
Merge: 8ebb9bc 5287c79 1ae8e2e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:48:14 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8ebb9bc501031359a6f474e70546a975d8e89269

commit 8ebb9bc501031359a6f474e70546a975d8e89269
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:48:14 2013 -0300

    refresh

diff --git a/meta b/meta
index 150ab75..72174f4 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b6864e5d068d813c95f42cc42a4af998364b9e2d
-Head: 1c7a149c0726600eabeb718bf88b5d82031f6857
+Previous: 5287c793843e946fd2f478b0a2785249cc640f9c
+Head: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -9,8 +9,7 @@ Applied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
-  thread-safety-documentation: fbb71ce3cced40f87c25964011852d114f327c36
-  refresh-temp: 1c7a149c0726600eabeb718bf88b5d82031f6857
+  thread-safety-documentation: 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
 Unapplied:
   manual-document-mt-safety-ctype.patch: b1da9d49b81e23d658de4369181599c33e3acd9e
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 702824c..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,332 +0,0 @@
-Bottom: 1f38562405d3b5dadb8c27bd94ec1cba5a2481da
-Top:    a80e3502e79676408b83a0ee8d2c01161f2e1895
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 21:48:14 -0300
-
-Refresh of thread-safety-documentation
-
----
-
-diff --git a/manual/ctype.texi b/manual/ctype.texi
-index f05d509..ddf38ce 100644
---- a/manual/ctype.texi
-+++ b/manual/ctype.texi
-@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
- @comment ctype.h
- @comment ISO
- @deftypefun int islower (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c The is* macros call __ctype_b_loc to get the ctype array from the
-+@c current locale, and then index it by c.  __ctype_b_loc reads from
-+@c thread-local memory the (indirect) pointer to the ctype array, which
-+@c may involve one word access to the global locale object, if that's
-+@c the active locale for the thread, and the array, being part of the
-+@c locale data, is undeletable, so there's no thread-safety issue.
- Returns true if @var{c} is a lower-case letter.  The letter need not be
- from the Latin alphabet, any alphabet representable is valid.
- @end deftypefun
-@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
- @comment ctype.h
- @comment ISO
- @deftypefun int isupper (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is an upper-case letter.  The letter need not be
- from the Latin alphabet, any alphabet representable is valid.
- @end deftypefun
-@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
- @comment ctype.h
- @comment ISO
- @deftypefun int isalpha (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is an alphabetic character (a letter).  If
- @code{islower} or @code{isupper} is true of a character, then
- @code{isalpha} is also true.
-@@ -97,6 +106,7 @@ additional characters.
- @comment ctype.h
- @comment ISO
- @deftypefun int isdigit (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
- @end deftypefun
- 
-@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
- @comment ctype.h
- @comment ISO
- @deftypefun int isalnum (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is an alphanumeric character (a letter or
- number); in other words, if either @code{isalpha} or @code{isdigit} is
- true of a character, then @code{isalnum} is also true.
-@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
- @comment ctype.h
- @comment ISO
- @deftypefun int isxdigit (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a hexadecimal digit.
- Hexadecimal digits include the normal decimal digits @samp{0} through
- @samp{9} and the letters @samp{A} through @samp{F} and
-@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
- @comment ctype.h
- @comment ISO
- @deftypefun int ispunct (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a punctuation character.
- This means any printing character that is not alphanumeric or a space
- character.
-@@ -132,6 +145,7 @@ character.
- @comment ctype.h
- @comment ISO
- @deftypefun int isspace (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
- @code{"C"} locale, @code{isspace} returns true for only the standard
- whitespace characters:
-@@ -161,6 +175,7 @@ vertical tab
- @comment ctype.h
- @comment ISO
- @deftypefun int isblank (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a blank character; that is, a space or a tab.
- This function was originally a GNU extension, but was added in @w{ISO C99}.
- @end deftypefun
-@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
- @comment ctype.h
- @comment ISO
- @deftypefun int isgraph (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a graphic character; that is, a character
- that has a glyph associated with it.  The whitespace characters are not
- considered graphic.
-@@ -178,6 +194,7 @@ considered graphic.
- @comment ctype.h
- @comment ISO
- @deftypefun int isprint (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a printing character.  Printing characters
- include all the graphic characters, plus the space (@samp{ }) character.
- @end deftypefun
-@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
- @comment ctype.h
- @comment ISO
- @deftypefun int iscntrl (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a control character (that is, a character that
- is not a printing character).
- @end deftypefun
-@@ -194,6 +212,7 @@ is not a printing character).
- @comment ctype.h
- @comment SVID, BSD
- @deftypefun int isascii (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
- into the US/UK ASCII character set.  This function is a BSD extension
- and is also an SVID extension.
-@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
- @comment ctype.h
- @comment ISO
- @deftypefun int tolower (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c The to* macros/functions call different functions that use different
-+@c arrays than those of__ctype_b_loc, but the access patterns and
-+@c thus safety guarantees are the same.
- If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
- lower-case letter.  If @var{c} is not an upper-case letter,
- @var{c} is returned unchanged.
-@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
- @comment ctype.h
- @comment ISO
- @deftypefun int toupper (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
- upper-case letter.  Otherwise @var{c} is returned unchanged.
- @end deftypefun
-@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
- @comment ctype.h
- @comment SVID, BSD
- @deftypefun int toascii (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This function converts @var{c} to a 7-bit @code{unsigned char} value
- that fits into the US/UK ASCII character set, by clearing the high-order
- bits.  This function is a BSD extension and is also an SVID extension.
-@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
- @comment ctype.h
- @comment SVID
- @deftypefun int _tolower (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is identical to @code{tolower}, and is provided for compatibility
- with the SVID.  @xref{SVID}.@refill
- @end deftypefun
-@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
- @comment ctype.h
- @comment SVID
- @deftypefun int _toupper (int @var{c})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
- This is identical to @code{toupper}, and is provided for compatibility
- with the SVID.
- @end deftypefun
-@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wctype_t wctype (const char *@var{property})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
-+@c Although the source code of wctype contains multiple references to
-+@c the locale, that could each reference different locale_data objects
-+@c should the global locale object change while active, the compiler can
-+@c and does combine them all into a single dereference that resolves
-+@c once to the LCTYPE locale object used throughout the function, so it
-+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
-+@c the resolved locale_data object to make it visibly safe instead of
-+@c safe only under compiler optimizations.
- The @code{wctype} returns a value representing a class of wide
- characters which is identified by the string @var{property}.  Beside
- some standard properties each locale can define its own ones.  In case
-@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c The compressed lookup table returned by wctype is read-only.
- This function returns a nonzero value if @var{wc} is in the character
- class specified by @var{desc}.  @var{desc} must previously be returned
- by a successful call to @code{wctype}.
-@@ -350,6 +388,15 @@ standard classes.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswalnum (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
-+@c The implicit wctype call in the isw* functions is actually an
-+@c optimized version because the category has a known offset, but the
-+@c wctype is equally safe when optimized, unsafe if not optimized.
-+@c Since it's not a macro, and we always optimize, it's fine.  The test
-+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
-+@c bring any other safety issues: the test does not depend on the
-+@c locale, and each path after the decision resolves the locale object
-+@c only once.
- This function returns a nonzero value if @var{wc} is an alphanumeric
- character (a letter or number); in other words, if either @code{iswalpha}
- or @code{iswdigit} is true of a character, then @code{iswalnum} is also
-@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswalpha (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is an alphabetic character (a letter).  If
- @code{iswlower} or @code{iswupper} is true of a character, then
- @code{iswalpha} is also true.
-@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswcntrl (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a control character (that is, a character that
- is not a printing character).
- 
-@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswdigit (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
- Please note that this function does not only return a nonzero value for
- @emph{decimal} digits, but for all kinds of digits.  A consequence is
-@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswgraph (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a graphic character; that is, a character
- that has a glyph associated with it.  The whitespace characters are not
- considered graphic.
-@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
- @comment ctype.h
- @comment ISO
- @deftypefun int iswlower (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a lower-case letter.  The letter need not be
- from the Latin alphabet, any alphabet representable is valid.
- 
-@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswprint (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a printing character.  Printing characters
- include all the graphic characters, plus the space (@samp{ }) character.
- 
-@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswpunct (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a punctuation character.
- This means any printing character that is not alphanumeric or a space
- character.
-@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswspace (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
- @code{"C"} locale, @code{iswspace} returns true for only the standard
- whitespace characters:
-@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswupper (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is an upper-case letter.  The letter need not be
- from the Latin alphabet, any alphabet representable is valid.
- 
-@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswxdigit (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a hexadecimal digit.
- Hexadecimal digits include the normal decimal digits @samp{0} through
- @samp{9} and the letters @samp{A} through @samp{F} and
-@@ -597,6 +654,7 @@ characters as well.
- @comment wctype.h
- @comment ISO
- @deftypefun int iswblank (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- Returns true if @var{wc} is a blank character; that is, a space or a tab.
- This function was originally a GNU extension, but was added in @w{ISO C99}.
- It is declared in @file{wchar.h}.
-@@ -691,7 +749,8 @@ This type is defined in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wctrans_t wctrans (const char *@var{property})
--@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
-+@c Similar implementation, same caveats as wctype.
- The @code{wctrans} function has to be used to find out whether a named
- mapping is defined in the current locale selected for the
- @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
-@@ -714,7 +773,8 @@ These functions are declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
--@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
-+@safety{@mtsafe{}@assafe{}@acsafe{}}
-+@c Same caveats as iswctype.
- @code{towctrans} maps the input character @var{wc}
- according to the rules of the mapping for which @var{desc} is a
- descriptor, and returns the value it finds.  @var{desc} must be
-@@ -732,6 +792,9 @@ for them.
- @comment wctype.h
- @comment ISO
- @deftypefun wint_t towlower (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
-+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
-+@c table.
- If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
- lower-case letter.  If @var{wc} is not an upper-case letter,
- @var{wc} is returned unchanged.
-@@ -751,6 +814,7 @@ This function is declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wint_t towupper (wint_t @var{wc})
-+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
- If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
- upper-case letter.  Otherwise @var{wc} is returned unchanged.
diff --git a/patches/thread-safety-documentation b/patches/thread-safety-documentation
index 9799a98..a9588e2 100644
--- a/patches/thread-safety-documentation
+++ b/patches/thread-safety-documentation
@@ -1,5 +1,5 @@
 Bottom: 493d959bda4db41836ea91b2b9685b47ab733575
-Top:    1f38562405d3b5dadb8c27bd94ec1cba5a2481da
+Top:    a80e3502e79676408b83a0ee8d2c01161f2e1895
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 
@@ -13,22 +13,323 @@ for ChangeLog
 ---
 
 diff --git a/manual/ctype.texi b/manual/ctype.texi
-index 3d13571..f05d509 100644
+index 3d13571..ddf38ce 100644
 --- a/manual/ctype.texi
 +++ b/manual/ctype.texi
-@@ -691,6 +691,7 @@ This type is defined in @file{wctype.h}.
+@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int islower (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The is* macros call __ctype_b_loc to get the ctype array from the
++@c current locale, and then index it by c.  __ctype_b_loc reads from
++@c thread-local memory the (indirect) pointer to the ctype array, which
++@c may involve one word access to the global locale object, if that's
++@c the active locale for the thread, and the array, being part of the
++@c locale data, is undeletable, so there's no thread-safety issue.
+ Returns true if @var{c} is a lower-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ @end deftypefun
+@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isupper (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is an upper-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ @end deftypefun
+@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isalpha (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is an alphabetic character (a letter).  If
+ @code{islower} or @code{isupper} is true of a character, then
+ @code{isalpha} is also true.
+@@ -97,6 +106,7 @@ additional characters.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isdigit (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
+ @end deftypefun
+ 
+@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isalnum (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is an alphanumeric character (a letter or
+ number); in other words, if either @code{isalpha} or @code{isdigit} is
+ true of a character, then @code{isalnum} is also true.
+@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isxdigit (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a hexadecimal digit.
+ Hexadecimal digits include the normal decimal digits @samp{0} through
+ @samp{9} and the letters @samp{A} through @samp{F} and
+@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int ispunct (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a punctuation character.
+ This means any printing character that is not alphanumeric or a space
+ character.
+@@ -132,6 +145,7 @@ character.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isspace (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
+ @code{"C"} locale, @code{isspace} returns true for only the standard
+ whitespace characters:
+@@ -161,6 +175,7 @@ vertical tab
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isblank (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a blank character; that is, a space or a tab.
+ This function was originally a GNU extension, but was added in @w{ISO C99}.
+ @end deftypefun
+@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isgraph (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a graphic character; that is, a character
+ that has a glyph associated with it.  The whitespace characters are not
+ considered graphic.
+@@ -178,6 +194,7 @@ considered graphic.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isprint (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a printing character.  Printing characters
+ include all the graphic characters, plus the space (@samp{ }) character.
+ @end deftypefun
+@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int iscntrl (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a control character (that is, a character that
+ is not a printing character).
+ @end deftypefun
+@@ -194,6 +212,7 @@ is not a printing character).
+ @comment ctype.h
+ @comment SVID, BSD
+ @deftypefun int isascii (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
+ into the US/UK ASCII character set.  This function is a BSD extension
+ and is also an SVID extension.
+@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int tolower (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The to* macros/functions call different functions that use different
++@c arrays than those of__ctype_b_loc, but the access patterns and
++@c thus safety guarantees are the same.
+ If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
+ lower-case letter.  If @var{c} is not an upper-case letter,
+ @var{c} is returned unchanged.
+@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int toupper (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
+ upper-case letter.  Otherwise @var{c} is returned unchanged.
+ @end deftypefun
+@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
+ @comment ctype.h
+ @comment SVID, BSD
+ @deftypefun int toascii (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function converts @var{c} to a 7-bit @code{unsigned char} value
+ that fits into the US/UK ASCII character set, by clearing the high-order
+ bits.  This function is a BSD extension and is also an SVID extension.
+@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
+ @comment ctype.h
+ @comment SVID
+ @deftypefun int _tolower (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is identical to @code{tolower}, and is provided for compatibility
+ with the SVID.  @xref{SVID}.@refill
+ @end deftypefun
+@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
+ @comment ctype.h
+ @comment SVID
+ @deftypefun int _toupper (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is identical to @code{toupper}, and is provided for compatibility
+ with the SVID.
+ @end deftypefun
+@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wctype_t wctype (const char *@var{property})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Although the source code of wctype contains multiple references to
++@c the locale, that could each reference different locale_data objects
++@c should the global locale object change while active, the compiler can
++@c and does combine them all into a single dereference that resolves
++@c once to the LCTYPE locale object used throughout the function, so it
++@c is safe in practice, if not in theory.  Ideally we'd explicitly save
++@c the resolved locale_data object to make it visibly safe instead of
++@c safe only under compiler optimizations.
+ The @code{wctype} returns a value representing a class of wide
+ characters which is identified by the string @var{property}.  Beside
+ some standard properties each locale can define its own ones.  In case
+@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The compressed lookup table returned by wctype is read-only.
+ This function returns a nonzero value if @var{wc} is in the character
+ class specified by @var{desc}.  @var{desc} must previously be returned
+ by a successful call to @code{wctype}.
+@@ -350,6 +388,15 @@ standard classes.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswalnum (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c The implicit wctype call in the isw* functions is actually an
++@c optimized version because the category has a known offset, but the
++@c wctype is equally safe when optimized, unsafe if not optimized.
++@c Since it's not a macro, and we always optimize, it's fine.  The test
++@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
++@c bring any other safety issues: the test does not depend on the
++@c locale, and each path after the decision resolves the locale object
++@c only once.
+ This function returns a nonzero value if @var{wc} is an alphanumeric
+ character (a letter or number); in other words, if either @code{iswalpha}
+ or @code{iswdigit} is true of a character, then @code{iswalnum} is also
+@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswalpha (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is an alphabetic character (a letter).  If
+ @code{iswlower} or @code{iswupper} is true of a character, then
+ @code{iswalpha} is also true.
+@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswcntrl (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a control character (that is, a character that
+ is not a printing character).
+ 
+@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswdigit (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
+ Please note that this function does not only return a nonzero value for
+ @emph{decimal} digits, but for all kinds of digits.  A consequence is
+@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswgraph (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a graphic character; that is, a character
+ that has a glyph associated with it.  The whitespace characters are not
+ considered graphic.
+@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int iswlower (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a lower-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ 
+@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswprint (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a printing character.  Printing characters
+ include all the graphic characters, plus the space (@samp{ }) character.
+ 
+@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswpunct (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a punctuation character.
+ This means any printing character that is not alphanumeric or a space
+ character.
+@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswspace (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
+ @code{"C"} locale, @code{iswspace} returns true for only the standard
+ whitespace characters:
+@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswupper (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is an upper-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ 
+@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswxdigit (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a hexadecimal digit.
+ Hexadecimal digits include the normal decimal digits @samp{0} through
+ @samp{9} and the letters @samp{A} through @samp{F} and
+@@ -597,6 +654,7 @@ characters as well.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswblank (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a blank character; that is, a space or a tab.
+ This function was originally a GNU extension, but was added in @w{ISO C99}.
+ It is declared in @file{wchar.h}.
+@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
  @comment wctype.h
  @comment ISO
  @deftypefun wctrans_t wctrans (const char *@var{property})
-+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Similar implementation, same caveats as wctype.
  The @code{wctrans} function has to be used to find out whether a named
  mapping is defined in the current locale selected for the
  @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
-@@ -713,6 +714,7 @@ These functions are declared in @file{wctype.h}.
+@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
  @comment wctype.h
  @comment ISO
  @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
-+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Same caveats as iswctype.
  @code{towctrans} maps the input character @var{wc}
  according to the rules of the mapping for which @var{desc} is a
  descriptor, and returns the value it finds.  @var{desc} must be
+@@ -730,6 +792,9 @@ for them.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towlower (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Same caveats as iswalnum, just using a wctrans rather than a wctype
++@c table.
+ If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
+ lower-case letter.  If @var{wc} is not an upper-case letter,
+ @var{wc} is returned unchanged.
+@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towupper (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
+ upper-case letter.  Otherwise @var{wc} is returned unchanged.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5287c793843e946fd2f478b0a2785249cc640f9c

commit 5287c793843e946fd2f478b0a2785249cc640f9c
Merge: a0855bc 1c7a149 b6864e5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:48:14 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a0855bc90966b5b2e0e30eefe708975da5b5964f

commit a0855bc90966b5b2e0e30eefe708975da5b5964f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:48:14 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 5317d84..150ab75 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: cb8445821d012f4b3b302f57c1a0b7aad83ad3ae
-Head: fbb71ce3cced40f87c25964011852d114f327c36
+Previous: b6864e5d068d813c95f42cc42a4af998364b9e2d
+Head: 1c7a149c0726600eabeb718bf88b5d82031f6857
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,7 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   thread-safety-documentation: fbb71ce3cced40f87c25964011852d114f327c36
+  refresh-temp: 1c7a149c0726600eabeb718bf88b5d82031f6857
 Unapplied:
   manual-document-mt-safety-ctype.patch: b1da9d49b81e23d658de4369181599c33e3acd9e
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..702824c
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,332 @@
+Bottom: 1f38562405d3b5dadb8c27bd94ec1cba5a2481da
+Top:    a80e3502e79676408b83a0ee8d2c01161f2e1895
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 21:48:14 -0300
+
+Refresh of thread-safety-documentation
+
+---
+
+diff --git a/manual/ctype.texi b/manual/ctype.texi
+index f05d509..ddf38ce 100644
+--- a/manual/ctype.texi
++++ b/manual/ctype.texi
+@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int islower (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The is* macros call __ctype_b_loc to get the ctype array from the
++@c current locale, and then index it by c.  __ctype_b_loc reads from
++@c thread-local memory the (indirect) pointer to the ctype array, which
++@c may involve one word access to the global locale object, if that's
++@c the active locale for the thread, and the array, being part of the
++@c locale data, is undeletable, so there's no thread-safety issue.
+ Returns true if @var{c} is a lower-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ @end deftypefun
+@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isupper (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is an upper-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ @end deftypefun
+@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isalpha (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is an alphabetic character (a letter).  If
+ @code{islower} or @code{isupper} is true of a character, then
+ @code{isalpha} is also true.
+@@ -97,6 +106,7 @@ additional characters.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isdigit (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
+ @end deftypefun
+ 
+@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isalnum (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is an alphanumeric character (a letter or
+ number); in other words, if either @code{isalpha} or @code{isdigit} is
+ true of a character, then @code{isalnum} is also true.
+@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isxdigit (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a hexadecimal digit.
+ Hexadecimal digits include the normal decimal digits @samp{0} through
+ @samp{9} and the letters @samp{A} through @samp{F} and
+@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int ispunct (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a punctuation character.
+ This means any printing character that is not alphanumeric or a space
+ character.
+@@ -132,6 +145,7 @@ character.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isspace (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
+ @code{"C"} locale, @code{isspace} returns true for only the standard
+ whitespace characters:
+@@ -161,6 +175,7 @@ vertical tab
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isblank (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a blank character; that is, a space or a tab.
+ This function was originally a GNU extension, but was added in @w{ISO C99}.
+ @end deftypefun
+@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isgraph (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a graphic character; that is, a character
+ that has a glyph associated with it.  The whitespace characters are not
+ considered graphic.
+@@ -178,6 +194,7 @@ considered graphic.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isprint (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a printing character.  Printing characters
+ include all the graphic characters, plus the space (@samp{ }) character.
+ @end deftypefun
+@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int iscntrl (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a control character (that is, a character that
+ is not a printing character).
+ @end deftypefun
+@@ -194,6 +212,7 @@ is not a printing character).
+ @comment ctype.h
+ @comment SVID, BSD
+ @deftypefun int isascii (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
+ into the US/UK ASCII character set.  This function is a BSD extension
+ and is also an SVID extension.
+@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int tolower (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The to* macros/functions call different functions that use different
++@c arrays than those of__ctype_b_loc, but the access patterns and
++@c thus safety guarantees are the same.
+ If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
+ lower-case letter.  If @var{c} is not an upper-case letter,
+ @var{c} is returned unchanged.
+@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int toupper (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
+ upper-case letter.  Otherwise @var{c} is returned unchanged.
+ @end deftypefun
+@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
+ @comment ctype.h
+ @comment SVID, BSD
+ @deftypefun int toascii (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function converts @var{c} to a 7-bit @code{unsigned char} value
+ that fits into the US/UK ASCII character set, by clearing the high-order
+ bits.  This function is a BSD extension and is also an SVID extension.
+@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
+ @comment ctype.h
+ @comment SVID
+ @deftypefun int _tolower (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is identical to @code{tolower}, and is provided for compatibility
+ with the SVID.  @xref{SVID}.@refill
+ @end deftypefun
+@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
+ @comment ctype.h
+ @comment SVID
+ @deftypefun int _toupper (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is identical to @code{toupper}, and is provided for compatibility
+ with the SVID.
+ @end deftypefun
+@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wctype_t wctype (const char *@var{property})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Although the source code of wctype contains multiple references to
++@c the locale, that could each reference different locale_data objects
++@c should the global locale object change while active, the compiler can
++@c and does combine them all into a single dereference that resolves
++@c once to the LCTYPE locale object used throughout the function, so it
++@c is safe in practice, if not in theory.  Ideally we'd explicitly save
++@c the resolved locale_data object to make it visibly safe instead of
++@c safe only under compiler optimizations.
+ The @code{wctype} returns a value representing a class of wide
+ characters which is identified by the string @var{property}.  Beside
+ some standard properties each locale can define its own ones.  In case
+@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The compressed lookup table returned by wctype is read-only.
+ This function returns a nonzero value if @var{wc} is in the character
+ class specified by @var{desc}.  @var{desc} must previously be returned
+ by a successful call to @code{wctype}.
+@@ -350,6 +388,15 @@ standard classes.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswalnum (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c The implicit wctype call in the isw* functions is actually an
++@c optimized version because the category has a known offset, but the
++@c wctype is equally safe when optimized, unsafe if not optimized.
++@c Since it's not a macro, and we always optimize, it's fine.  The test
++@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
++@c bring any other safety issues: the test does not depend on the
++@c locale, and each path after the decision resolves the locale object
++@c only once.
+ This function returns a nonzero value if @var{wc} is an alphanumeric
+ character (a letter or number); in other words, if either @code{iswalpha}
+ or @code{iswdigit} is true of a character, then @code{iswalnum} is also
+@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswalpha (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is an alphabetic character (a letter).  If
+ @code{iswlower} or @code{iswupper} is true of a character, then
+ @code{iswalpha} is also true.
+@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswcntrl (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a control character (that is, a character that
+ is not a printing character).
+ 
+@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswdigit (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
+ Please note that this function does not only return a nonzero value for
+ @emph{decimal} digits, but for all kinds of digits.  A consequence is
+@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswgraph (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a graphic character; that is, a character
+ that has a glyph associated with it.  The whitespace characters are not
+ considered graphic.
+@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int iswlower (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a lower-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ 
+@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswprint (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a printing character.  Printing characters
+ include all the graphic characters, plus the space (@samp{ }) character.
+ 
+@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswpunct (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a punctuation character.
+ This means any printing character that is not alphanumeric or a space
+ character.
+@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswspace (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
+ @code{"C"} locale, @code{iswspace} returns true for only the standard
+ whitespace characters:
+@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswupper (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is an upper-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ 
+@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswxdigit (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a hexadecimal digit.
+ Hexadecimal digits include the normal decimal digits @samp{0} through
+ @samp{9} and the letters @samp{A} through @samp{F} and
+@@ -597,6 +654,7 @@ characters as well.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswblank (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a blank character; that is, a space or a tab.
+ This function was originally a GNU extension, but was added in @w{ISO C99}.
+ It is declared in @file{wchar.h}.
+@@ -691,7 +749,8 @@ This type is defined in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wctrans_t wctrans (const char *@var{property})
+-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Similar implementation, same caveats as wctype.
+ The @code{wctrans} function has to be used to find out whether a named
+ mapping is defined in the current locale selected for the
+ @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
+@@ -714,7 +773,8 @@ These functions are declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Same caveats as iswctype.
+ @code{towctrans} maps the input character @var{wc}
+ according to the rules of the mapping for which @var{desc} is a
+ descriptor, and returns the value it finds.  @var{desc} must be
+@@ -732,6 +792,9 @@ for them.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towlower (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Same caveats as iswalnum, just using a wctrans rather than a wctype
++@c table.
+ If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
+ lower-case letter.  If @var{wc} is not an upper-case letter,
+ @var{wc} is returned unchanged.
+@@ -751,6 +814,7 @@ This function is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towupper (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
+ upper-case letter.  Otherwise @var{wc} is returned unchanged.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1c7a149c0726600eabeb718bf88b5d82031f6857

commit 1c7a149c0726600eabeb718bf88b5d82031f6857
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:48:14 2013 -0300

    Refresh of thread-safety-documentation

diff --git a/manual/ctype.texi b/manual/ctype.texi
index f05d509..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,7 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -714,7 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -732,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -751,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b6864e5d068d813c95f42cc42a4af998364b9e2d

commit b6864e5d068d813c95f42cc42a4af998364b9e2d
Merge: 4c198fe cb84458 fbb71ce
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:47:39 2013 -0300

    repair


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4c198fe0826a24451ec717df1163b915944f5f3f

commit 4c198fe0826a24451ec717df1163b915944f5f3f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:47:39 2013 -0300

    repair

diff --git a/meta b/meta
index cd8af55..5317d84 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 798b190d23f3f3a4ad79d3ad58033f247cfce24a
+Previous: cb8445821d012f4b3b302f57c1a0b7aad83ad3ae
 Head: fbb71ce3cced40f87c25964011852d114f327c36
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
@@ -9,7 +9,8 @@ Applied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
-  manual-document-mt-safety-ctype.patch: b1da9d49b81e23d658de4369181599c33e3acd9e
+  thread-safety-documentation: fbb71ce3cced40f87c25964011852d114f327c36
 Unapplied:
+  manual-document-mt-safety-ctype.patch: b1da9d49b81e23d658de4369181599c33e3acd9e
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/thread-safety-documentation b/patches/thread-safety-documentation
new file mode 100644
index 0000000..9799a98
--- /dev/null
+++ b/patches/thread-safety-documentation
@@ -0,0 +1,34 @@
+Bottom: 493d959bda4db41836ea91b2b9685b47ab733575
+Top:    1f38562405d3b5dadb8c27bd94ec1cba5a2481da
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 15:29:41 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/ctype.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/ctype.texi b/manual/ctype.texi
+index 3d13571..f05d509 100644
+--- a/manual/ctype.texi
++++ b/manual/ctype.texi
+@@ -691,6 +691,7 @@ This type is defined in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wctrans_t wctrans (const char *@var{property})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wctrans} function has to be used to find out whether a named
+ mapping is defined in the current locale selected for the
+ @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
+@@ -713,6 +714,7 @@ These functions are declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ @code{towctrans} maps the input character @var{wc}
+ according to the rules of the mapping for which @var{desc} is a
+ descriptor, and returns the value it finds.  @var{desc} must be

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cb8445821d012f4b3b302f57c1a0b7aad83ad3ae

commit cb8445821d012f4b3b302f57c1a0b7aad83ad3ae
Merge: 0b60f0a 798b190 fbb71ce
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:46:56 2013 -0300

    external modifications
    
    Modifications by tools other than StGit (e.g. git).


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0b60f0aafece87396a646631192339d54c5324fc

commit 0b60f0aafece87396a646631192339d54c5324fc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:46:56 2013 -0300

    external modifications
    
    Modifications by tools other than StGit (e.g. git).

diff --git a/meta b/meta
index 4ba806b..cd8af55 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 92ecb9cc92814d23ccb743dab61d49f352050d65
-Head: b1da9d49b81e23d658de4369181599c33e3acd9e
+Previous: 798b190d23f3f3a4ad79d3ad58033f247cfce24a
+Head: fbb71ce3cced40f87c25964011852d114f327c36
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=798b190d23f3f3a4ad79d3ad58033f247cfce24a

commit 798b190d23f3f3a4ad79d3ad58033f247cfce24a
Merge: ac15c3c b1da9d4 92ecb9c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:43:22 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ac15c3c240153a4eb66bde41aba4cbb7bdd9d560

commit ac15c3c240153a4eb66bde41aba4cbb7bdd9d560
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:43:22 2013 -0300

    refresh

diff --git a/meta b/meta
index d6de884..4ba806b 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: fa0e164579ef7d32d41b16568c2074df2d84ea0d
-Head: db2ee3a6f7f5658cf70172ca995df47e3b27c3a0
+Previous: 92ecb9cc92814d23ccb743dab61d49f352050d65
+Head: b1da9d49b81e23d658de4369181599c33e3acd9e
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -9,8 +9,7 @@ Applied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
-  manual-document-mt-safety-ctype.patch: fbb71ce3cced40f87c25964011852d114f327c36
-  refresh-temp: db2ee3a6f7f5658cf70172ca995df47e3b27c3a0
+  manual-document-mt-safety-ctype.patch: b1da9d49b81e23d658de4369181599c33e3acd9e
 Unapplied:
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/manual-document-mt-safety-ctype.patch b/patches/manual-document-mt-safety-ctype.patch
index 9799a98..40dba95 100644
--- a/patches/manual-document-mt-safety-ctype.patch
+++ b/patches/manual-document-mt-safety-ctype.patch
@@ -1,5 +1,5 @@
 Bottom: 493d959bda4db41836ea91b2b9685b47ab733575
-Top:    1f38562405d3b5dadb8c27bd94ec1cba5a2481da
+Top:    eb7c2702254befc63994aae3ba24a286ee829464
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-08-13 15:29:41 -0300
 
@@ -13,22 +13,778 @@ for ChangeLog
 ---
 
 diff --git a/manual/ctype.texi b/manual/ctype.texi
-index 3d13571..f05d509 100644
+deleted file mode 100644
+index 3d13571..0000000
 --- a/manual/ctype.texi
-+++ b/manual/ctype.texi
-@@ -691,6 +691,7 @@ This type is defined in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wctrans_t wctrans (const char *@var{property})
-+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
- The @code{wctrans} function has to be used to find out whether a named
- mapping is defined in the current locale selected for the
- @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
-@@ -713,6 +714,7 @@ These functions are declared in @file{wctype.h}.
- @comment wctype.h
- @comment ISO
- @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
-+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
- @code{towctrans} maps the input character @var{wc}
- according to the rules of the mapping for which @var{desc} is a
- descriptor, and returns the value it finds.  @var{desc} must be
++++ /dev/null
+@@ -1,770 +0,0 @@
+-@node Character Handling, String and Array Utilities, Memory, Top
+-@c %MENU% Character testing and conversion functions
+-@chapter Character Handling
+-
+-Programs that work with characters and strings often need to classify a
+-character---is it alphabetic, is it a digit, is it whitespace, and so
+-on---and perform case conversion operations on characters.  The
+-functions in the header file @file{ctype.h} are provided for this
+-purpose.
+-@pindex ctype.h
+-
+-Since the choice of locale and character set can alter the
+-classifications of particular character codes, all of these functions
+-are affected by the current locale.  (More precisely, they are affected
+-by the locale currently selected for character classification---the
+-@code{LC_CTYPE} category; see @ref{Locale Categories}.)
+-
+-The @w{ISO C} standard specifies two different sets of functions.  The
+-one set works on @code{char} type characters, the other one on
+-@code{wchar_t} wide characters (@pxref{Extended Char Intro}).
+-
+-@menu
+-* Classification of Characters::       Testing whether characters are
+-			                letters, digits, punctuation, etc.
+-
+-* Case Conversion::                    Case mapping, and the like.
+-* Classification of Wide Characters::  Character class determination for
+-                                        wide characters.
+-* Using Wide Char Classes::            Notes on using the wide character
+-                                        classes.
+-* Wide Character Case Conversion::     Mapping of wide characters.
+-@end menu
+-
+-@node Classification of Characters, Case Conversion,  , Character Handling
+-@section Classification of Characters
+-@cindex character testing
+-@cindex classification of characters
+-@cindex predicates on characters
+-@cindex character predicates
+-
+-This section explains the library functions for classifying characters.
+-For example, @code{isalpha} is the function to test for an alphabetic
+-character.  It takes one argument, the character to test, and returns a
+-nonzero integer if the character is alphabetic, and zero otherwise.  You
+-would use it like this:
+-
+-@smallexample
+-if (isalpha (c))
+-  printf ("The character `%c' is alphabetic.\n", c);
+-@end smallexample
+-
+-Each of the functions in this section tests for membership in a
+-particular class of characters; each has a name starting with @samp{is}.
+-Each of them takes one argument, which is a character to test, and
+-returns an @code{int} which is treated as a boolean value.  The
+-character argument is passed as an @code{int}, and it may be the
+-constant value @code{EOF} instead of a real character.
+-
+-The attributes of any given character can vary between locales.
+-@xref{Locales}, for more information on locales.@refill
+-
+-These functions are declared in the header file @file{ctype.h}.
+-@pindex ctype.h
+-
+-@cindex lower-case character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int islower (int @var{c})
+-Returns true if @var{c} is a lower-case letter.  The letter need not be
+-from the Latin alphabet, any alphabet representable is valid.
+-@end deftypefun
+-
+-@cindex upper-case character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isupper (int @var{c})
+-Returns true if @var{c} is an upper-case letter.  The letter need not be
+-from the Latin alphabet, any alphabet representable is valid.
+-@end deftypefun
+-
+-@cindex alphabetic character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isalpha (int @var{c})
+-Returns true if @var{c} is an alphabetic character (a letter).  If
+-@code{islower} or @code{isupper} is true of a character, then
+-@code{isalpha} is also true.
+-
+-In some locales, there may be additional characters for which
+-@code{isalpha} is true---letters which are neither upper case nor lower
+-case.  But in the standard @code{"C"} locale, there are no such
+-additional characters.
+-@end deftypefun
+-
+-@cindex digit character
+-@cindex decimal digit character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isdigit (int @var{c})
+-Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
+-@end deftypefun
+-
+-@cindex alphanumeric character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isalnum (int @var{c})
+-Returns true if @var{c} is an alphanumeric character (a letter or
+-number); in other words, if either @code{isalpha} or @code{isdigit} is
+-true of a character, then @code{isalnum} is also true.
+-@end deftypefun
+-
+-@cindex hexadecimal digit character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isxdigit (int @var{c})
+-Returns true if @var{c} is a hexadecimal digit.
+-Hexadecimal digits include the normal decimal digits @samp{0} through
+-@samp{9} and the letters @samp{A} through @samp{F} and
+-@samp{a} through @samp{f}.
+-@end deftypefun
+-
+-@cindex punctuation character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int ispunct (int @var{c})
+-Returns true if @var{c} is a punctuation character.
+-This means any printing character that is not alphanumeric or a space
+-character.
+-@end deftypefun
+-
+-@cindex whitespace character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isspace (int @var{c})
+-Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
+-@code{"C"} locale, @code{isspace} returns true for only the standard
+-whitespace characters:
+-
+-@table @code
+-@item ' '
+-space
+-
+-@item '\f'
+-formfeed
+-
+-@item '\n'
+-newline
+-
+-@item '\r'
+-carriage return
+-
+-@item '\t'
+-horizontal tab
+-
+-@item '\v'
+-vertical tab
+-@end table
+-@end deftypefun
+-
+-@cindex blank character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isblank (int @var{c})
+-Returns true if @var{c} is a blank character; that is, a space or a tab.
+-This function was originally a GNU extension, but was added in @w{ISO C99}.
+-@end deftypefun
+-
+-@cindex graphic character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isgraph (int @var{c})
+-Returns true if @var{c} is a graphic character; that is, a character
+-that has a glyph associated with it.  The whitespace characters are not
+-considered graphic.
+-@end deftypefun
+-
+-@cindex printing character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isprint (int @var{c})
+-Returns true if @var{c} is a printing character.  Printing characters
+-include all the graphic characters, plus the space (@samp{ }) character.
+-@end deftypefun
+-
+-@cindex control character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int iscntrl (int @var{c})
+-Returns true if @var{c} is a control character (that is, a character that
+-is not a printing character).
+-@end deftypefun
+-
+-@cindex ASCII character
+-@comment ctype.h
+-@comment SVID, BSD
+-@deftypefun int isascii (int @var{c})
+-Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
+-into the US/UK ASCII character set.  This function is a BSD extension
+-and is also an SVID extension.
+-@end deftypefun
+-
+-@node Case Conversion, Classification of Wide Characters, Classification of Characters, Character Handling
+-@section Case Conversion
+-@cindex character case conversion
+-@cindex case conversion of characters
+-@cindex converting case of characters
+-
+-This section explains the library functions for performing conversions
+-such as case mappings on characters.  For example, @code{toupper}
+-converts any character to upper case if possible.  If the character
+-can't be converted, @code{toupper} returns it unchanged.
+-
+-These functions take one argument of type @code{int}, which is the
+-character to convert, and return the converted character as an
+-@code{int}.  If the conversion is not applicable to the argument given,
+-the argument is returned unchanged.
+-
+-@strong{Compatibility Note:} In pre-@w{ISO C} dialects, instead of
+-returning the argument unchanged, these functions may fail when the
+-argument is not suitable for the conversion.  Thus for portability, you
+-may need to write @code{islower(c) ? toupper(c) : c} rather than just
+-@code{toupper(c)}.
+-
+-These functions are declared in the header file @file{ctype.h}.
+-@pindex ctype.h
+-
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int tolower (int @var{c})
+-If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
+-lower-case letter.  If @var{c} is not an upper-case letter,
+-@var{c} is returned unchanged.
+-@end deftypefun
+-
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int toupper (int @var{c})
+-If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
+-upper-case letter.  Otherwise @var{c} is returned unchanged.
+-@end deftypefun
+-
+-@comment ctype.h
+-@comment SVID, BSD
+-@deftypefun int toascii (int @var{c})
+-This function converts @var{c} to a 7-bit @code{unsigned char} value
+-that fits into the US/UK ASCII character set, by clearing the high-order
+-bits.  This function is a BSD extension and is also an SVID extension.
+-@end deftypefun
+-
+-@comment ctype.h
+-@comment SVID
+-@deftypefun int _tolower (int @var{c})
+-This is identical to @code{tolower}, and is provided for compatibility
+-with the SVID.  @xref{SVID}.@refill
+-@end deftypefun
+-
+-@comment ctype.h
+-@comment SVID
+-@deftypefun int _toupper (int @var{c})
+-This is identical to @code{toupper}, and is provided for compatibility
+-with the SVID.
+-@end deftypefun
+-
+-
+-@node Classification of Wide Characters, Using Wide Char Classes, Case Conversion, Character Handling
+-@section Character class determination for wide characters
+-
+-@w{Amendment 1} to @w{ISO C90} defines functions to classify wide
+-characters.  Although the original @w{ISO C90} standard already defined
+-the type @code{wchar_t}, no functions operating on them were defined.
+-
+-The general design of the classification functions for wide characters
+-is more general.  It allows extensions to the set of available
+-classifications, beyond those which are always available.  The POSIX
+-standard specifies how extensions can be made, and this is already
+-implemented in the @glibcadj{} implementation of the @code{localedef}
+-program.
+-
+-The character class functions are normally implemented with bitsets,
+-with a bitset per character.  For a given character, the appropriate
+-bitset is read from a table and a test is performed as to whether a
+-certain bit is set.  Which bit is tested for is determined by the
+-class.
+-
+-For the wide character classification functions this is made visible.
+-There is a type classification type defined, a function to retrieve this
+-value for a given class, and a function to test whether a given
+-character is in this class, using the classification value.  On top of
+-this the normal character classification functions as used for
+-@code{char} objects can be defined.
+-
+-@comment wctype.h
+-@comment ISO
+-@deftp {Data type} wctype_t
+-The @code{wctype_t} can hold a value which represents a character class.
+-The only defined way to generate such a value is by using the
+-@code{wctype} function.
+-
+-@pindex wctype.h
+-This type is defined in @file{wctype.h}.
+-@end deftp
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wctype_t wctype (const char *@var{property})
+-The @code{wctype} returns a value representing a class of wide
+-characters which is identified by the string @var{property}.  Beside
+-some standard properties each locale can define its own ones.  In case
+-no property with the given name is known for the current locale
+-selected for the @code{LC_CTYPE} category, the function returns zero.
+-
+-@noindent
+-The properties known in every locale are:
+-
+-@multitable @columnfractions .25 .25 .25 .25
+-@item
+-@code{"alnum"} @tab @code{"alpha"} @tab @code{"cntrl"} @tab @code{"digit"}
+-@item
+-@code{"graph"} @tab @code{"lower"} @tab @code{"print"} @tab @code{"punct"}
+-@item
+-@code{"space"} @tab @code{"upper"} @tab @code{"xdigit"}
+-@end multitable
+-
+-@pindex wctype.h
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-To test the membership of a character to one of the non-standard classes
+-the @w{ISO C} standard defines a completely new function.
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+-This function returns a nonzero value if @var{wc} is in the character
+-class specified by @var{desc}.  @var{desc} must previously be returned
+-by a successful call to @code{wctype}.
+-
+-@pindex wctype.h
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-To make it easier to use the commonly-used classification functions,
+-they are defined in the C library.  There is no need to use
+-@code{wctype} if the property string is one of the known character
+-classes.  In some situations it is desirable to construct the property
+-strings, and then it is important that @code{wctype} can also handle the
+-standard classes.
+-
+-@cindex alphanumeric character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswalnum (wint_t @var{wc})
+-This function returns a nonzero value if @var{wc} is an alphanumeric
+-character (a letter or number); in other words, if either @code{iswalpha}
+-or @code{iswdigit} is true of a character, then @code{iswalnum} is also
+-true.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("alnum"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex alphabetic character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswalpha (wint_t @var{wc})
+-Returns true if @var{wc} is an alphabetic character (a letter).  If
+-@code{iswlower} or @code{iswupper} is true of a character, then
+-@code{iswalpha} is also true.
+-
+-In some locales, there may be additional characters for which
+-@code{iswalpha} is true---letters which are neither upper case nor lower
+-case.  But in the standard @code{"C"} locale, there are no such
+-additional characters.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("alpha"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex control character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswcntrl (wint_t @var{wc})
+-Returns true if @var{wc} is a control character (that is, a character that
+-is not a printing character).
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("cntrl"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex digit character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswdigit (wint_t @var{wc})
+-Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
+-Please note that this function does not only return a nonzero value for
+-@emph{decimal} digits, but for all kinds of digits.  A consequence is
+-that code like the following will @strong{not} work unconditionally for
+-wide characters:
+-
+-@smallexample
+-n = 0;
+-while (iswdigit (*wc))
+-  @{
+-    n *= 10;
+-    n += *wc++ - L'0';
+-  @}
+-@end smallexample
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("digit"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex graphic character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswgraph (wint_t @var{wc})
+-Returns true if @var{wc} is a graphic character; that is, a character
+-that has a glyph associated with it.  The whitespace characters are not
+-considered graphic.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("graph"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex lower-case character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int iswlower (wint_t @var{wc})
+-Returns true if @var{wc} is a lower-case letter.  The letter need not be
+-from the Latin alphabet, any alphabet representable is valid.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("lower"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex printing character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswprint (wint_t @var{wc})
+-Returns true if @var{wc} is a printing character.  Printing characters
+-include all the graphic characters, plus the space (@samp{ }) character.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("print"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex punctuation character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswpunct (wint_t @var{wc})
+-Returns true if @var{wc} is a punctuation character.
+-This means any printing character that is not alphanumeric or a space
+-character.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("punct"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex whitespace character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswspace (wint_t @var{wc})
+-Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
+-@code{"C"} locale, @code{iswspace} returns true for only the standard
+-whitespace characters:
+-
+-@table @code
+-@item L' '
+-space
+-
+-@item L'\f'
+-formfeed
+-
+-@item L'\n'
+-newline
+-
+-@item L'\r'
+-carriage return
+-
+-@item L'\t'
+-horizontal tab
+-
+-@item L'\v'
+-vertical tab
+-@end table
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("space"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex upper-case character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswupper (wint_t @var{wc})
+-Returns true if @var{wc} is an upper-case letter.  The letter need not be
+-from the Latin alphabet, any alphabet representable is valid.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("upper"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex hexadecimal digit character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswxdigit (wint_t @var{wc})
+-Returns true if @var{wc} is a hexadecimal digit.
+-Hexadecimal digits include the normal decimal digits @samp{0} through
+-@samp{9} and the letters @samp{A} through @samp{F} and
+-@samp{a} through @samp{f}.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("xdigit"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@Theglibc{} also provides a function which is not defined in the
+-@w{ISO C} standard but which is available as a version for single byte
+-characters as well.
+-
+-@cindex blank character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswblank (wint_t @var{wc})
+-Returns true if @var{wc} is a blank character; that is, a space or a tab.
+-This function was originally a GNU extension, but was added in @w{ISO C99}.
+-It is declared in @file{wchar.h}.
+-@end deftypefun
+-
+-@node Using Wide Char Classes, Wide Character Case Conversion, Classification of Wide Characters, Character Handling
+-@section Notes on using the wide character classes
+-
+-The first note is probably not astonishing but still occasionally a
+-cause of problems.  The @code{isw@var{XXX}} functions can be implemented
+-using macros and in fact, @theglibc{} does this.  They are still
+-available as real functions but when the @file{wctype.h} header is
+-included the macros will be used.  This is the same as the
+-@code{char} type versions of these functions.
+-
+-The second note covers something new.  It can be best illustrated by a
+-(real-world) example.  The first piece of code is an excerpt from the
+-original code.  It is truncated a bit but the intention should be clear.
+-
+-@smallexample
+-int
+-is_in_class (int c, const char *class)
+-@{
+-  if (strcmp (class, "alnum") == 0)
+-    return isalnum (c);
+-  if (strcmp (class, "alpha") == 0)
+-    return isalpha (c);
+-  if (strcmp (class, "cntrl") == 0)
+-    return iscntrl (c);
+-  @dots{}
+-  return 0;
+-@}
+-@end smallexample
+-
+-Now, with the @code{wctype} and @code{iswctype} you can avoid the
+-@code{if} cascades, but rewriting the code as follows is wrong:
+-
+-@smallexample
+-int
+-is_in_class (int c, const char *class)
+-@{
+-  wctype_t desc = wctype (class);
+-  return desc ? iswctype ((wint_t) c, desc) : 0;
+-@}
+-@end smallexample
+-
+-The problem is that it is not guaranteed that the wide character
+-representation of a single-byte character can be found using casting.
+-In fact, usually this fails miserably.  The correct solution to this
+-problem is to write the code as follows:
+-
+-@smallexample
+-int
+-is_in_class (int c, const char *class)
+-@{
+-  wctype_t desc = wctype (class);
+-  return desc ? iswctype (btowc (c), desc) : 0;
+-@}
+-@end smallexample
+-
+-@xref{Converting a Character}, for more information on @code{btowc}.
+-Note that this change probably does not improve the performance
+-of the program a lot since the @code{wctype} function still has to make
+-the string comparisons.  It gets really interesting if the
+-@code{is_in_class} function is called more than once for the
+-same class name.  In this case the variable @var{desc} could be computed
+-once and reused for all the calls.  Therefore the above form of the
+-function is probably not the final one.
+-
+-
+-@node Wide Character Case Conversion, , Using Wide Char Classes, Character Handling
+-@section Mapping of wide characters.
+-
+-The classification functions are also generalized by the @w{ISO C}
+-standard.  Instead of just allowing the two standard mappings, a
+-locale can contain others.  Again, the @code{localedef} program
+-already supports generating such locale data files.
+-
+-@comment wctype.h
+-@comment ISO
+-@deftp {Data Type} wctrans_t
+-This data type is defined as a scalar type which can hold a value
+-representing the locale-dependent character mapping.  There is no way to
+-construct such a value apart from using the return value of the
+-@code{wctrans} function.
+-
+-@pindex wctype.h
+-@noindent
+-This type is defined in @file{wctype.h}.
+-@end deftp
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wctrans_t wctrans (const char *@var{property})
+-The @code{wctrans} function has to be used to find out whether a named
+-mapping is defined in the current locale selected for the
+-@code{LC_CTYPE} category.  If the returned value is non-zero, you can use
+-it afterwards in calls to @code{towctrans}.  If the return value is
+-zero no such mapping is known in the current locale.
+-
+-Beside locale-specific mappings there are two mappings which are
+-guaranteed to be available in every locale:
+-
+-@multitable @columnfractions .5 .5
+-@item
+-@code{"tolower"} @tab @code{"toupper"}
+-@end multitable
+-
+-@pindex wctype.h
+-@noindent
+-These functions are declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+-@code{towctrans} maps the input character @var{wc}
+-according to the rules of the mapping for which @var{desc} is a
+-descriptor, and returns the value it finds.  @var{desc} must be
+-obtained by a successful call to @code{wctrans}.
+-
+-@pindex wctype.h
+-@noindent
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-For the generally available mappings, the @w{ISO C} standard defines
+-convenient shortcuts so that it is not necessary to call @code{wctrans}
+-for them.
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wint_t towlower (wint_t @var{wc})
+-If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
+-lower-case letter.  If @var{wc} is not an upper-case letter,
+-@var{wc} is returned unchanged.
+-
+-@noindent
+-@code{towlower} can be implemented using
+-
+-@smallexample
+-towctrans (wc, wctrans ("tolower"))
+-@end smallexample
+-
+-@pindex wctype.h
+-@noindent
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wint_t towupper (wint_t @var{wc})
+-If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
+-upper-case letter.  Otherwise @var{wc} is returned unchanged.
+-
+-@noindent
+-@code{towupper} can be implemented using
+-
+-@smallexample
+-towctrans (wc, wctrans ("toupper"))
+-@end smallexample
+-
+-@pindex wctype.h
+-@noindent
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-The same warnings given in the last section for the use of the wide
+-character classification functions apply here.  It is not possible to
+-simply cast a @code{char} type value to a @code{wint_t} and use it as an
+-argument to @code{towctrans} calls.
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index 818f328..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,787 +0,0 @@
-Bottom: 1f38562405d3b5dadb8c27bd94ec1cba5a2481da
-Top:    eb7c2702254befc63994aae3ba24a286ee829464
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-08-13 21:43:21 -0300
-
-Refresh of manual-document-mt-safety-ctype.patch
-
----
-
-diff --git a/manual/ctype.texi b/manual/ctype.texi
-deleted file mode 100644
-index f05d509..0000000
---- a/manual/ctype.texi
-+++ /dev/null
-@@ -1,772 +0,0 @@
--@node Character Handling, String and Array Utilities, Memory, Top
--@c %MENU% Character testing and conversion functions
--@chapter Character Handling
--
--Programs that work with characters and strings often need to classify a
--character---is it alphabetic, is it a digit, is it whitespace, and so
--on---and perform case conversion operations on characters.  The
--functions in the header file @file{ctype.h} are provided for this
--purpose.
--@pindex ctype.h
--
--Since the choice of locale and character set can alter the
--classifications of particular character codes, all of these functions
--are affected by the current locale.  (More precisely, they are affected
--by the locale currently selected for character classification---the
--@code{LC_CTYPE} category; see @ref{Locale Categories}.)
--
--The @w{ISO C} standard specifies two different sets of functions.  The
--one set works on @code{char} type characters, the other one on
--@code{wchar_t} wide characters (@pxref{Extended Char Intro}).
--
--@menu
--* Classification of Characters::       Testing whether characters are
--			                letters, digits, punctuation, etc.
--
--* Case Conversion::                    Case mapping, and the like.
--* Classification of Wide Characters::  Character class determination for
--                                        wide characters.
--* Using Wide Char Classes::            Notes on using the wide character
--                                        classes.
--* Wide Character Case Conversion::     Mapping of wide characters.
--@end menu
--
--@node Classification of Characters, Case Conversion,  , Character Handling
--@section Classification of Characters
--@cindex character testing
--@cindex classification of characters
--@cindex predicates on characters
--@cindex character predicates
--
--This section explains the library functions for classifying characters.
--For example, @code{isalpha} is the function to test for an alphabetic
--character.  It takes one argument, the character to test, and returns a
--nonzero integer if the character is alphabetic, and zero otherwise.  You
--would use it like this:
--
--@smallexample
--if (isalpha (c))
--  printf ("The character `%c' is alphabetic.\n", c);
--@end smallexample
--
--Each of the functions in this section tests for membership in a
--particular class of characters; each has a name starting with @samp{is}.
--Each of them takes one argument, which is a character to test, and
--returns an @code{int} which is treated as a boolean value.  The
--character argument is passed as an @code{int}, and it may be the
--constant value @code{EOF} instead of a real character.
--
--The attributes of any given character can vary between locales.
--@xref{Locales}, for more information on locales.@refill
--
--These functions are declared in the header file @file{ctype.h}.
--@pindex ctype.h
--
--@cindex lower-case character
--@comment ctype.h
--@comment ISO
--@deftypefun int islower (int @var{c})
--Returns true if @var{c} is a lower-case letter.  The letter need not be
--from the Latin alphabet, any alphabet representable is valid.
--@end deftypefun
--
--@cindex upper-case character
--@comment ctype.h
--@comment ISO
--@deftypefun int isupper (int @var{c})
--Returns true if @var{c} is an upper-case letter.  The letter need not be
--from the Latin alphabet, any alphabet representable is valid.
--@end deftypefun
--
--@cindex alphabetic character
--@comment ctype.h
--@comment ISO
--@deftypefun int isalpha (int @var{c})
--Returns true if @var{c} is an alphabetic character (a letter).  If
--@code{islower} or @code{isupper} is true of a character, then
--@code{isalpha} is also true.
--
--In some locales, there may be additional characters for which
--@code{isalpha} is true---letters which are neither upper case nor lower
--case.  But in the standard @code{"C"} locale, there are no such
--additional characters.
--@end deftypefun
--
--@cindex digit character
--@cindex decimal digit character
--@comment ctype.h
--@comment ISO
--@deftypefun int isdigit (int @var{c})
--Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
--@end deftypefun
--
--@cindex alphanumeric character
--@comment ctype.h
--@comment ISO
--@deftypefun int isalnum (int @var{c})
--Returns true if @var{c} is an alphanumeric character (a letter or
--number); in other words, if either @code{isalpha} or @code{isdigit} is
--true of a character, then @code{isalnum} is also true.
--@end deftypefun
--
--@cindex hexadecimal digit character
--@comment ctype.h
--@comment ISO
--@deftypefun int isxdigit (int @var{c})
--Returns true if @var{c} is a hexadecimal digit.
--Hexadecimal digits include the normal decimal digits @samp{0} through
--@samp{9} and the letters @samp{A} through @samp{F} and
--@samp{a} through @samp{f}.
--@end deftypefun
--
--@cindex punctuation character
--@comment ctype.h
--@comment ISO
--@deftypefun int ispunct (int @var{c})
--Returns true if @var{c} is a punctuation character.
--This means any printing character that is not alphanumeric or a space
--character.
--@end deftypefun
--
--@cindex whitespace character
--@comment ctype.h
--@comment ISO
--@deftypefun int isspace (int @var{c})
--Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
--@code{"C"} locale, @code{isspace} returns true for only the standard
--whitespace characters:
--
--@table @code
--@item ' '
--space
--
--@item '\f'
--formfeed
--
--@item '\n'
--newline
--
--@item '\r'
--carriage return
--
--@item '\t'
--horizontal tab
--
--@item '\v'
--vertical tab
--@end table
--@end deftypefun
--
--@cindex blank character
--@comment ctype.h
--@comment ISO
--@deftypefun int isblank (int @var{c})
--Returns true if @var{c} is a blank character; that is, a space or a tab.
--This function was originally a GNU extension, but was added in @w{ISO C99}.
--@end deftypefun
--
--@cindex graphic character
--@comment ctype.h
--@comment ISO
--@deftypefun int isgraph (int @var{c})
--Returns true if @var{c} is a graphic character; that is, a character
--that has a glyph associated with it.  The whitespace characters are not
--considered graphic.
--@end deftypefun
--
--@cindex printing character
--@comment ctype.h
--@comment ISO
--@deftypefun int isprint (int @var{c})
--Returns true if @var{c} is a printing character.  Printing characters
--include all the graphic characters, plus the space (@samp{ }) character.
--@end deftypefun
--
--@cindex control character
--@comment ctype.h
--@comment ISO
--@deftypefun int iscntrl (int @var{c})
--Returns true if @var{c} is a control character (that is, a character that
--is not a printing character).
--@end deftypefun
--
--@cindex ASCII character
--@comment ctype.h
--@comment SVID, BSD
--@deftypefun int isascii (int @var{c})
--Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
--into the US/UK ASCII character set.  This function is a BSD extension
--and is also an SVID extension.
--@end deftypefun
--
--@node Case Conversion, Classification of Wide Characters, Classification of Characters, Character Handling
--@section Case Conversion
--@cindex character case conversion
--@cindex case conversion of characters
--@cindex converting case of characters
--
--This section explains the library functions for performing conversions
--such as case mappings on characters.  For example, @code{toupper}
--converts any character to upper case if possible.  If the character
--can't be converted, @code{toupper} returns it unchanged.
--
--These functions take one argument of type @code{int}, which is the
--character to convert, and return the converted character as an
--@code{int}.  If the conversion is not applicable to the argument given,
--the argument is returned unchanged.
--
--@strong{Compatibility Note:} In pre-@w{ISO C} dialects, instead of
--returning the argument unchanged, these functions may fail when the
--argument is not suitable for the conversion.  Thus for portability, you
--may need to write @code{islower(c) ? toupper(c) : c} rather than just
--@code{toupper(c)}.
--
--These functions are declared in the header file @file{ctype.h}.
--@pindex ctype.h
--
--@comment ctype.h
--@comment ISO
--@deftypefun int tolower (int @var{c})
--If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
--lower-case letter.  If @var{c} is not an upper-case letter,
--@var{c} is returned unchanged.
--@end deftypefun
--
--@comment ctype.h
--@comment ISO
--@deftypefun int toupper (int @var{c})
--If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
--upper-case letter.  Otherwise @var{c} is returned unchanged.
--@end deftypefun
--
--@comment ctype.h
--@comment SVID, BSD
--@deftypefun int toascii (int @var{c})
--This function converts @var{c} to a 7-bit @code{unsigned char} value
--that fits into the US/UK ASCII character set, by clearing the high-order
--bits.  This function is a BSD extension and is also an SVID extension.
--@end deftypefun
--
--@comment ctype.h
--@comment SVID
--@deftypefun int _tolower (int @var{c})
--This is identical to @code{tolower}, and is provided for compatibility
--with the SVID.  @xref{SVID}.@refill
--@end deftypefun
--
--@comment ctype.h
--@comment SVID
--@deftypefun int _toupper (int @var{c})
--This is identical to @code{toupper}, and is provided for compatibility
--with the SVID.
--@end deftypefun
--
--
--@node Classification of Wide Characters, Using Wide Char Classes, Case Conversion, Character Handling
--@section Character class determination for wide characters
--
--@w{Amendment 1} to @w{ISO C90} defines functions to classify wide
--characters.  Although the original @w{ISO C90} standard already defined
--the type @code{wchar_t}, no functions operating on them were defined.
--
--The general design of the classification functions for wide characters
--is more general.  It allows extensions to the set of available
--classifications, beyond those which are always available.  The POSIX
--standard specifies how extensions can be made, and this is already
--implemented in the @glibcadj{} implementation of the @code{localedef}
--program.
--
--The character class functions are normally implemented with bitsets,
--with a bitset per character.  For a given character, the appropriate
--bitset is read from a table and a test is performed as to whether a
--certain bit is set.  Which bit is tested for is determined by the
--class.
--
--For the wide character classification functions this is made visible.
--There is a type classification type defined, a function to retrieve this
--value for a given class, and a function to test whether a given
--character is in this class, using the classification value.  On top of
--this the normal character classification functions as used for
--@code{char} objects can be defined.
--
--@comment wctype.h
--@comment ISO
--@deftp {Data type} wctype_t
--The @code{wctype_t} can hold a value which represents a character class.
--The only defined way to generate such a value is by using the
--@code{wctype} function.
--
--@pindex wctype.h
--This type is defined in @file{wctype.h}.
--@end deftp
--
--@comment wctype.h
--@comment ISO
--@deftypefun wctype_t wctype (const char *@var{property})
--The @code{wctype} returns a value representing a class of wide
--characters which is identified by the string @var{property}.  Beside
--some standard properties each locale can define its own ones.  In case
--no property with the given name is known for the current locale
--selected for the @code{LC_CTYPE} category, the function returns zero.
--
--@noindent
--The properties known in every locale are:
--
--@multitable @columnfractions .25 .25 .25 .25
--@item
--@code{"alnum"} @tab @code{"alpha"} @tab @code{"cntrl"} @tab @code{"digit"}
--@item
--@code{"graph"} @tab @code{"lower"} @tab @code{"print"} @tab @code{"punct"}
--@item
--@code{"space"} @tab @code{"upper"} @tab @code{"xdigit"}
--@end multitable
--
--@pindex wctype.h
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--To test the membership of a character to one of the non-standard classes
--the @w{ISO C} standard defines a completely new function.
--
--@comment wctype.h
--@comment ISO
--@deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
--This function returns a nonzero value if @var{wc} is in the character
--class specified by @var{desc}.  @var{desc} must previously be returned
--by a successful call to @code{wctype}.
--
--@pindex wctype.h
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--To make it easier to use the commonly-used classification functions,
--they are defined in the C library.  There is no need to use
--@code{wctype} if the property string is one of the known character
--classes.  In some situations it is desirable to construct the property
--strings, and then it is important that @code{wctype} can also handle the
--standard classes.
--
--@cindex alphanumeric character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswalnum (wint_t @var{wc})
--This function returns a nonzero value if @var{wc} is an alphanumeric
--character (a letter or number); in other words, if either @code{iswalpha}
--or @code{iswdigit} is true of a character, then @code{iswalnum} is also
--true.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("alnum"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex alphabetic character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswalpha (wint_t @var{wc})
--Returns true if @var{wc} is an alphabetic character (a letter).  If
--@code{iswlower} or @code{iswupper} is true of a character, then
--@code{iswalpha} is also true.
--
--In some locales, there may be additional characters for which
--@code{iswalpha} is true---letters which are neither upper case nor lower
--case.  But in the standard @code{"C"} locale, there are no such
--additional characters.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("alpha"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex control character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswcntrl (wint_t @var{wc})
--Returns true if @var{wc} is a control character (that is, a character that
--is not a printing character).
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("cntrl"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex digit character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswdigit (wint_t @var{wc})
--Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
--Please note that this function does not only return a nonzero value for
--@emph{decimal} digits, but for all kinds of digits.  A consequence is
--that code like the following will @strong{not} work unconditionally for
--wide characters:
--
--@smallexample
--n = 0;
--while (iswdigit (*wc))
--  @{
--    n *= 10;
--    n += *wc++ - L'0';
--  @}
--@end smallexample
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("digit"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex graphic character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswgraph (wint_t @var{wc})
--Returns true if @var{wc} is a graphic character; that is, a character
--that has a glyph associated with it.  The whitespace characters are not
--considered graphic.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("graph"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex lower-case character
--@comment ctype.h
--@comment ISO
--@deftypefun int iswlower (wint_t @var{wc})
--Returns true if @var{wc} is a lower-case letter.  The letter need not be
--from the Latin alphabet, any alphabet representable is valid.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("lower"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex printing character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswprint (wint_t @var{wc})
--Returns true if @var{wc} is a printing character.  Printing characters
--include all the graphic characters, plus the space (@samp{ }) character.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("print"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex punctuation character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswpunct (wint_t @var{wc})
--Returns true if @var{wc} is a punctuation character.
--This means any printing character that is not alphanumeric or a space
--character.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("punct"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex whitespace character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswspace (wint_t @var{wc})
--Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
--@code{"C"} locale, @code{iswspace} returns true for only the standard
--whitespace characters:
--
--@table @code
--@item L' '
--space
--
--@item L'\f'
--formfeed
--
--@item L'\n'
--newline
--
--@item L'\r'
--carriage return
--
--@item L'\t'
--horizontal tab
--
--@item L'\v'
--vertical tab
--@end table
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("space"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex upper-case character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswupper (wint_t @var{wc})
--Returns true if @var{wc} is an upper-case letter.  The letter need not be
--from the Latin alphabet, any alphabet representable is valid.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("upper"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@cindex hexadecimal digit character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswxdigit (wint_t @var{wc})
--Returns true if @var{wc} is a hexadecimal digit.
--Hexadecimal digits include the normal decimal digits @samp{0} through
--@samp{9} and the letters @samp{A} through @samp{F} and
--@samp{a} through @samp{f}.
--
--@noindent
--This function can be implemented using
--
--@smallexample
--iswctype (wc, wctype ("xdigit"))
--@end smallexample
--
--@pindex wctype.h
--It is declared in @file{wctype.h}.
--@end deftypefun
--
--@Theglibc{} also provides a function which is not defined in the
--@w{ISO C} standard but which is available as a version for single byte
--characters as well.
--
--@cindex blank character
--@comment wctype.h
--@comment ISO
--@deftypefun int iswblank (wint_t @var{wc})
--Returns true if @var{wc} is a blank character; that is, a space or a tab.
--This function was originally a GNU extension, but was added in @w{ISO C99}.
--It is declared in @file{wchar.h}.
--@end deftypefun
--
--@node Using Wide Char Classes, Wide Character Case Conversion, Classification of Wide Characters, Character Handling
--@section Notes on using the wide character classes
--
--The first note is probably not astonishing but still occasionally a
--cause of problems.  The @code{isw@var{XXX}} functions can be implemented
--using macros and in fact, @theglibc{} does this.  They are still
--available as real functions but when the @file{wctype.h} header is
--included the macros will be used.  This is the same as the
--@code{char} type versions of these functions.
--
--The second note covers something new.  It can be best illustrated by a
--(real-world) example.  The first piece of code is an excerpt from the
--original code.  It is truncated a bit but the intention should be clear.
--
--@smallexample
--int
--is_in_class (int c, const char *class)
--@{
--  if (strcmp (class, "alnum") == 0)
--    return isalnum (c);
--  if (strcmp (class, "alpha") == 0)
--    return isalpha (c);
--  if (strcmp (class, "cntrl") == 0)
--    return iscntrl (c);
--  @dots{}
--  return 0;
--@}
--@end smallexample
--
--Now, with the @code{wctype} and @code{iswctype} you can avoid the
--@code{if} cascades, but rewriting the code as follows is wrong:
--
--@smallexample
--int
--is_in_class (int c, const char *class)
--@{
--  wctype_t desc = wctype (class);
--  return desc ? iswctype ((wint_t) c, desc) : 0;
--@}
--@end smallexample
--
--The problem is that it is not guaranteed that the wide character
--representation of a single-byte character can be found using casting.
--In fact, usually this fails miserably.  The correct solution to this
--problem is to write the code as follows:
--
--@smallexample
--int
--is_in_class (int c, const char *class)
--@{
--  wctype_t desc = wctype (class);
--  return desc ? iswctype (btowc (c), desc) : 0;
--@}
--@end smallexample
--
--@xref{Converting a Character}, for more information on @code{btowc}.
--Note that this change probably does not improve the performance
--of the program a lot since the @code{wctype} function still has to make
--the string comparisons.  It gets really interesting if the
--@code{is_in_class} function is called more than once for the
--same class name.  In this case the variable @var{desc} could be computed
--once and reused for all the calls.  Therefore the above form of the
--function is probably not the final one.
--
--
--@node Wide Character Case Conversion, , Using Wide Char Classes, Character Handling
--@section Mapping of wide characters.
--
--The classification functions are also generalized by the @w{ISO C}
--standard.  Instead of just allowing the two standard mappings, a
--locale can contain others.  Again, the @code{localedef} program
--already supports generating such locale data files.
--
--@comment wctype.h
--@comment ISO
--@deftp {Data Type} wctrans_t
--This data type is defined as a scalar type which can hold a value
--representing the locale-dependent character mapping.  There is no way to
--construct such a value apart from using the return value of the
--@code{wctrans} function.
--
--@pindex wctype.h
--@noindent
--This type is defined in @file{wctype.h}.
--@end deftp
--
--@comment wctype.h
--@comment ISO
--@deftypefun wctrans_t wctrans (const char *@var{property})
--@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
--The @code{wctrans} function has to be used to find out whether a named
--mapping is defined in the current locale selected for the
--@code{LC_CTYPE} category.  If the returned value is non-zero, you can use
--it afterwards in calls to @code{towctrans}.  If the return value is
--zero no such mapping is known in the current locale.
--
--Beside locale-specific mappings there are two mappings which are
--guaranteed to be available in every locale:
--
--@multitable @columnfractions .5 .5
--@item
--@code{"tolower"} @tab @code{"toupper"}
--@end multitable
--
--@pindex wctype.h
--@noindent
--These functions are declared in @file{wctype.h}.
--@end deftypefun
--
--@comment wctype.h
--@comment ISO
--@deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
--@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
--@code{towctrans} maps the input character @var{wc}
--according to the rules of the mapping for which @var{desc} is a
--descriptor, and returns the value it finds.  @var{desc} must be
--obtained by a successful call to @code{wctrans}.
--
--@pindex wctype.h
--@noindent
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--For the generally available mappings, the @w{ISO C} standard defines
--convenient shortcuts so that it is not necessary to call @code{wctrans}
--for them.
--
--@comment wctype.h
--@comment ISO
--@deftypefun wint_t towlower (wint_t @var{wc})
--If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
--lower-case letter.  If @var{wc} is not an upper-case letter,
--@var{wc} is returned unchanged.
--
--@noindent
--@code{towlower} can be implemented using
--
--@smallexample
--towctrans (wc, wctrans ("tolower"))
--@end smallexample
--
--@pindex wctype.h
--@noindent
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--@comment wctype.h
--@comment ISO
--@deftypefun wint_t towupper (wint_t @var{wc})
--If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
--upper-case letter.  Otherwise @var{wc} is returned unchanged.
--
--@noindent
--@code{towupper} can be implemented using
--
--@smallexample
--towctrans (wc, wctrans ("toupper"))
--@end smallexample
--
--@pindex wctype.h
--@noindent
--This function is declared in @file{wctype.h}.
--@end deftypefun
--
--The same warnings given in the last section for the use of the wide
--character classification functions apply here.  It is not possible to
--simply cast a @code{char} type value to a @code{wint_t} and use it as an
--argument to @code{towctrans} calls.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=92ecb9cc92814d23ccb743dab61d49f352050d65

commit 92ecb9cc92814d23ccb743dab61d49f352050d65
Merge: ebdffc7 db2ee3a fa0e164
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:43:21 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ebdffc717c6099f054d348d124c39414d7d6c9a8

commit ebdffc717c6099f054d348d124c39414d7d6c9a8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:43:21 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 67da860..d6de884 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: cbc4be3ddd767d1a801d3f67429eac5fff0e8967
-Head: fbb71ce3cced40f87c25964011852d114f327c36
+Previous: fa0e164579ef7d32d41b16568c2074df2d84ea0d
+Head: db2ee3a6f7f5658cf70172ca995df47e3b27c3a0
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,7 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: fbb71ce3cced40f87c25964011852d114f327c36
+  refresh-temp: db2ee3a6f7f5658cf70172ca995df47e3b27c3a0
 Unapplied:
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..818f328
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,787 @@
+Bottom: 1f38562405d3b5dadb8c27bd94ec1cba5a2481da
+Top:    eb7c2702254befc63994aae3ba24a286ee829464
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-08-13 21:43:21 -0300
+
+Refresh of manual-document-mt-safety-ctype.patch
+
+---
+
+diff --git a/manual/ctype.texi b/manual/ctype.texi
+deleted file mode 100644
+index f05d509..0000000
+--- a/manual/ctype.texi
++++ /dev/null
+@@ -1,772 +0,0 @@
+-@node Character Handling, String and Array Utilities, Memory, Top
+-@c %MENU% Character testing and conversion functions
+-@chapter Character Handling
+-
+-Programs that work with characters and strings often need to classify a
+-character---is it alphabetic, is it a digit, is it whitespace, and so
+-on---and perform case conversion operations on characters.  The
+-functions in the header file @file{ctype.h} are provided for this
+-purpose.
+-@pindex ctype.h
+-
+-Since the choice of locale and character set can alter the
+-classifications of particular character codes, all of these functions
+-are affected by the current locale.  (More precisely, they are affected
+-by the locale currently selected for character classification---the
+-@code{LC_CTYPE} category; see @ref{Locale Categories}.)
+-
+-The @w{ISO C} standard specifies two different sets of functions.  The
+-one set works on @code{char} type characters, the other one on
+-@code{wchar_t} wide characters (@pxref{Extended Char Intro}).
+-
+-@menu
+-* Classification of Characters::       Testing whether characters are
+-			                letters, digits, punctuation, etc.
+-
+-* Case Conversion::                    Case mapping, and the like.
+-* Classification of Wide Characters::  Character class determination for
+-                                        wide characters.
+-* Using Wide Char Classes::            Notes on using the wide character
+-                                        classes.
+-* Wide Character Case Conversion::     Mapping of wide characters.
+-@end menu
+-
+-@node Classification of Characters, Case Conversion,  , Character Handling
+-@section Classification of Characters
+-@cindex character testing
+-@cindex classification of characters
+-@cindex predicates on characters
+-@cindex character predicates
+-
+-This section explains the library functions for classifying characters.
+-For example, @code{isalpha} is the function to test for an alphabetic
+-character.  It takes one argument, the character to test, and returns a
+-nonzero integer if the character is alphabetic, and zero otherwise.  You
+-would use it like this:
+-
+-@smallexample
+-if (isalpha (c))
+-  printf ("The character `%c' is alphabetic.\n", c);
+-@end smallexample
+-
+-Each of the functions in this section tests for membership in a
+-particular class of characters; each has a name starting with @samp{is}.
+-Each of them takes one argument, which is a character to test, and
+-returns an @code{int} which is treated as a boolean value.  The
+-character argument is passed as an @code{int}, and it may be the
+-constant value @code{EOF} instead of a real character.
+-
+-The attributes of any given character can vary between locales.
+-@xref{Locales}, for more information on locales.@refill
+-
+-These functions are declared in the header file @file{ctype.h}.
+-@pindex ctype.h
+-
+-@cindex lower-case character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int islower (int @var{c})
+-Returns true if @var{c} is a lower-case letter.  The letter need not be
+-from the Latin alphabet, any alphabet representable is valid.
+-@end deftypefun
+-
+-@cindex upper-case character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isupper (int @var{c})
+-Returns true if @var{c} is an upper-case letter.  The letter need not be
+-from the Latin alphabet, any alphabet representable is valid.
+-@end deftypefun
+-
+-@cindex alphabetic character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isalpha (int @var{c})
+-Returns true if @var{c} is an alphabetic character (a letter).  If
+-@code{islower} or @code{isupper} is true of a character, then
+-@code{isalpha} is also true.
+-
+-In some locales, there may be additional characters for which
+-@code{isalpha} is true---letters which are neither upper case nor lower
+-case.  But in the standard @code{"C"} locale, there are no such
+-additional characters.
+-@end deftypefun
+-
+-@cindex digit character
+-@cindex decimal digit character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isdigit (int @var{c})
+-Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
+-@end deftypefun
+-
+-@cindex alphanumeric character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isalnum (int @var{c})
+-Returns true if @var{c} is an alphanumeric character (a letter or
+-number); in other words, if either @code{isalpha} or @code{isdigit} is
+-true of a character, then @code{isalnum} is also true.
+-@end deftypefun
+-
+-@cindex hexadecimal digit character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isxdigit (int @var{c})
+-Returns true if @var{c} is a hexadecimal digit.
+-Hexadecimal digits include the normal decimal digits @samp{0} through
+-@samp{9} and the letters @samp{A} through @samp{F} and
+-@samp{a} through @samp{f}.
+-@end deftypefun
+-
+-@cindex punctuation character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int ispunct (int @var{c})
+-Returns true if @var{c} is a punctuation character.
+-This means any printing character that is not alphanumeric or a space
+-character.
+-@end deftypefun
+-
+-@cindex whitespace character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isspace (int @var{c})
+-Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
+-@code{"C"} locale, @code{isspace} returns true for only the standard
+-whitespace characters:
+-
+-@table @code
+-@item ' '
+-space
+-
+-@item '\f'
+-formfeed
+-
+-@item '\n'
+-newline
+-
+-@item '\r'
+-carriage return
+-
+-@item '\t'
+-horizontal tab
+-
+-@item '\v'
+-vertical tab
+-@end table
+-@end deftypefun
+-
+-@cindex blank character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isblank (int @var{c})
+-Returns true if @var{c} is a blank character; that is, a space or a tab.
+-This function was originally a GNU extension, but was added in @w{ISO C99}.
+-@end deftypefun
+-
+-@cindex graphic character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isgraph (int @var{c})
+-Returns true if @var{c} is a graphic character; that is, a character
+-that has a glyph associated with it.  The whitespace characters are not
+-considered graphic.
+-@end deftypefun
+-
+-@cindex printing character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int isprint (int @var{c})
+-Returns true if @var{c} is a printing character.  Printing characters
+-include all the graphic characters, plus the space (@samp{ }) character.
+-@end deftypefun
+-
+-@cindex control character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int iscntrl (int @var{c})
+-Returns true if @var{c} is a control character (that is, a character that
+-is not a printing character).
+-@end deftypefun
+-
+-@cindex ASCII character
+-@comment ctype.h
+-@comment SVID, BSD
+-@deftypefun int isascii (int @var{c})
+-Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
+-into the US/UK ASCII character set.  This function is a BSD extension
+-and is also an SVID extension.
+-@end deftypefun
+-
+-@node Case Conversion, Classification of Wide Characters, Classification of Characters, Character Handling
+-@section Case Conversion
+-@cindex character case conversion
+-@cindex case conversion of characters
+-@cindex converting case of characters
+-
+-This section explains the library functions for performing conversions
+-such as case mappings on characters.  For example, @code{toupper}
+-converts any character to upper case if possible.  If the character
+-can't be converted, @code{toupper} returns it unchanged.
+-
+-These functions take one argument of type @code{int}, which is the
+-character to convert, and return the converted character as an
+-@code{int}.  If the conversion is not applicable to the argument given,
+-the argument is returned unchanged.
+-
+-@strong{Compatibility Note:} In pre-@w{ISO C} dialects, instead of
+-returning the argument unchanged, these functions may fail when the
+-argument is not suitable for the conversion.  Thus for portability, you
+-may need to write @code{islower(c) ? toupper(c) : c} rather than just
+-@code{toupper(c)}.
+-
+-These functions are declared in the header file @file{ctype.h}.
+-@pindex ctype.h
+-
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int tolower (int @var{c})
+-If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
+-lower-case letter.  If @var{c} is not an upper-case letter,
+-@var{c} is returned unchanged.
+-@end deftypefun
+-
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int toupper (int @var{c})
+-If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
+-upper-case letter.  Otherwise @var{c} is returned unchanged.
+-@end deftypefun
+-
+-@comment ctype.h
+-@comment SVID, BSD
+-@deftypefun int toascii (int @var{c})
+-This function converts @var{c} to a 7-bit @code{unsigned char} value
+-that fits into the US/UK ASCII character set, by clearing the high-order
+-bits.  This function is a BSD extension and is also an SVID extension.
+-@end deftypefun
+-
+-@comment ctype.h
+-@comment SVID
+-@deftypefun int _tolower (int @var{c})
+-This is identical to @code{tolower}, and is provided for compatibility
+-with the SVID.  @xref{SVID}.@refill
+-@end deftypefun
+-
+-@comment ctype.h
+-@comment SVID
+-@deftypefun int _toupper (int @var{c})
+-This is identical to @code{toupper}, and is provided for compatibility
+-with the SVID.
+-@end deftypefun
+-
+-
+-@node Classification of Wide Characters, Using Wide Char Classes, Case Conversion, Character Handling
+-@section Character class determination for wide characters
+-
+-@w{Amendment 1} to @w{ISO C90} defines functions to classify wide
+-characters.  Although the original @w{ISO C90} standard already defined
+-the type @code{wchar_t}, no functions operating on them were defined.
+-
+-The general design of the classification functions for wide characters
+-is more general.  It allows extensions to the set of available
+-classifications, beyond those which are always available.  The POSIX
+-standard specifies how extensions can be made, and this is already
+-implemented in the @glibcadj{} implementation of the @code{localedef}
+-program.
+-
+-The character class functions are normally implemented with bitsets,
+-with a bitset per character.  For a given character, the appropriate
+-bitset is read from a table and a test is performed as to whether a
+-certain bit is set.  Which bit is tested for is determined by the
+-class.
+-
+-For the wide character classification functions this is made visible.
+-There is a type classification type defined, a function to retrieve this
+-value for a given class, and a function to test whether a given
+-character is in this class, using the classification value.  On top of
+-this the normal character classification functions as used for
+-@code{char} objects can be defined.
+-
+-@comment wctype.h
+-@comment ISO
+-@deftp {Data type} wctype_t
+-The @code{wctype_t} can hold a value which represents a character class.
+-The only defined way to generate such a value is by using the
+-@code{wctype} function.
+-
+-@pindex wctype.h
+-This type is defined in @file{wctype.h}.
+-@end deftp
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wctype_t wctype (const char *@var{property})
+-The @code{wctype} returns a value representing a class of wide
+-characters which is identified by the string @var{property}.  Beside
+-some standard properties each locale can define its own ones.  In case
+-no property with the given name is known for the current locale
+-selected for the @code{LC_CTYPE} category, the function returns zero.
+-
+-@noindent
+-The properties known in every locale are:
+-
+-@multitable @columnfractions .25 .25 .25 .25
+-@item
+-@code{"alnum"} @tab @code{"alpha"} @tab @code{"cntrl"} @tab @code{"digit"}
+-@item
+-@code{"graph"} @tab @code{"lower"} @tab @code{"print"} @tab @code{"punct"}
+-@item
+-@code{"space"} @tab @code{"upper"} @tab @code{"xdigit"}
+-@end multitable
+-
+-@pindex wctype.h
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-To test the membership of a character to one of the non-standard classes
+-the @w{ISO C} standard defines a completely new function.
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+-This function returns a nonzero value if @var{wc} is in the character
+-class specified by @var{desc}.  @var{desc} must previously be returned
+-by a successful call to @code{wctype}.
+-
+-@pindex wctype.h
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-To make it easier to use the commonly-used classification functions,
+-they are defined in the C library.  There is no need to use
+-@code{wctype} if the property string is one of the known character
+-classes.  In some situations it is desirable to construct the property
+-strings, and then it is important that @code{wctype} can also handle the
+-standard classes.
+-
+-@cindex alphanumeric character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswalnum (wint_t @var{wc})
+-This function returns a nonzero value if @var{wc} is an alphanumeric
+-character (a letter or number); in other words, if either @code{iswalpha}
+-or @code{iswdigit} is true of a character, then @code{iswalnum} is also
+-true.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("alnum"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex alphabetic character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswalpha (wint_t @var{wc})
+-Returns true if @var{wc} is an alphabetic character (a letter).  If
+-@code{iswlower} or @code{iswupper} is true of a character, then
+-@code{iswalpha} is also true.
+-
+-In some locales, there may be additional characters for which
+-@code{iswalpha} is true---letters which are neither upper case nor lower
+-case.  But in the standard @code{"C"} locale, there are no such
+-additional characters.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("alpha"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex control character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswcntrl (wint_t @var{wc})
+-Returns true if @var{wc} is a control character (that is, a character that
+-is not a printing character).
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("cntrl"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex digit character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswdigit (wint_t @var{wc})
+-Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
+-Please note that this function does not only return a nonzero value for
+-@emph{decimal} digits, but for all kinds of digits.  A consequence is
+-that code like the following will @strong{not} work unconditionally for
+-wide characters:
+-
+-@smallexample
+-n = 0;
+-while (iswdigit (*wc))
+-  @{
+-    n *= 10;
+-    n += *wc++ - L'0';
+-  @}
+-@end smallexample
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("digit"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex graphic character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswgraph (wint_t @var{wc})
+-Returns true if @var{wc} is a graphic character; that is, a character
+-that has a glyph associated with it.  The whitespace characters are not
+-considered graphic.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("graph"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex lower-case character
+-@comment ctype.h
+-@comment ISO
+-@deftypefun int iswlower (wint_t @var{wc})
+-Returns true if @var{wc} is a lower-case letter.  The letter need not be
+-from the Latin alphabet, any alphabet representable is valid.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("lower"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex printing character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswprint (wint_t @var{wc})
+-Returns true if @var{wc} is a printing character.  Printing characters
+-include all the graphic characters, plus the space (@samp{ }) character.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("print"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex punctuation character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswpunct (wint_t @var{wc})
+-Returns true if @var{wc} is a punctuation character.
+-This means any printing character that is not alphanumeric or a space
+-character.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("punct"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex whitespace character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswspace (wint_t @var{wc})
+-Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
+-@code{"C"} locale, @code{iswspace} returns true for only the standard
+-whitespace characters:
+-
+-@table @code
+-@item L' '
+-space
+-
+-@item L'\f'
+-formfeed
+-
+-@item L'\n'
+-newline
+-
+-@item L'\r'
+-carriage return
+-
+-@item L'\t'
+-horizontal tab
+-
+-@item L'\v'
+-vertical tab
+-@end table
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("space"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex upper-case character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswupper (wint_t @var{wc})
+-Returns true if @var{wc} is an upper-case letter.  The letter need not be
+-from the Latin alphabet, any alphabet representable is valid.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("upper"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@cindex hexadecimal digit character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswxdigit (wint_t @var{wc})
+-Returns true if @var{wc} is a hexadecimal digit.
+-Hexadecimal digits include the normal decimal digits @samp{0} through
+-@samp{9} and the letters @samp{A} through @samp{F} and
+-@samp{a} through @samp{f}.
+-
+-@noindent
+-This function can be implemented using
+-
+-@smallexample
+-iswctype (wc, wctype ("xdigit"))
+-@end smallexample
+-
+-@pindex wctype.h
+-It is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@Theglibc{} also provides a function which is not defined in the
+-@w{ISO C} standard but which is available as a version for single byte
+-characters as well.
+-
+-@cindex blank character
+-@comment wctype.h
+-@comment ISO
+-@deftypefun int iswblank (wint_t @var{wc})
+-Returns true if @var{wc} is a blank character; that is, a space or a tab.
+-This function was originally a GNU extension, but was added in @w{ISO C99}.
+-It is declared in @file{wchar.h}.
+-@end deftypefun
+-
+-@node Using Wide Char Classes, Wide Character Case Conversion, Classification of Wide Characters, Character Handling
+-@section Notes on using the wide character classes
+-
+-The first note is probably not astonishing but still occasionally a
+-cause of problems.  The @code{isw@var{XXX}} functions can be implemented
+-using macros and in fact, @theglibc{} does this.  They are still
+-available as real functions but when the @file{wctype.h} header is
+-included the macros will be used.  This is the same as the
+-@code{char} type versions of these functions.
+-
+-The second note covers something new.  It can be best illustrated by a
+-(real-world) example.  The first piece of code is an excerpt from the
+-original code.  It is truncated a bit but the intention should be clear.
+-
+-@smallexample
+-int
+-is_in_class (int c, const char *class)
+-@{
+-  if (strcmp (class, "alnum") == 0)
+-    return isalnum (c);
+-  if (strcmp (class, "alpha") == 0)
+-    return isalpha (c);
+-  if (strcmp (class, "cntrl") == 0)
+-    return iscntrl (c);
+-  @dots{}
+-  return 0;
+-@}
+-@end smallexample
+-
+-Now, with the @code{wctype} and @code{iswctype} you can avoid the
+-@code{if} cascades, but rewriting the code as follows is wrong:
+-
+-@smallexample
+-int
+-is_in_class (int c, const char *class)
+-@{
+-  wctype_t desc = wctype (class);
+-  return desc ? iswctype ((wint_t) c, desc) : 0;
+-@}
+-@end smallexample
+-
+-The problem is that it is not guaranteed that the wide character
+-representation of a single-byte character can be found using casting.
+-In fact, usually this fails miserably.  The correct solution to this
+-problem is to write the code as follows:
+-
+-@smallexample
+-int
+-is_in_class (int c, const char *class)
+-@{
+-  wctype_t desc = wctype (class);
+-  return desc ? iswctype (btowc (c), desc) : 0;
+-@}
+-@end smallexample
+-
+-@xref{Converting a Character}, for more information on @code{btowc}.
+-Note that this change probably does not improve the performance
+-of the program a lot since the @code{wctype} function still has to make
+-the string comparisons.  It gets really interesting if the
+-@code{is_in_class} function is called more than once for the
+-same class name.  In this case the variable @var{desc} could be computed
+-once and reused for all the calls.  Therefore the above form of the
+-function is probably not the final one.
+-
+-
+-@node Wide Character Case Conversion, , Using Wide Char Classes, Character Handling
+-@section Mapping of wide characters.
+-
+-The classification functions are also generalized by the @w{ISO C}
+-standard.  Instead of just allowing the two standard mappings, a
+-locale can contain others.  Again, the @code{localedef} program
+-already supports generating such locale data files.
+-
+-@comment wctype.h
+-@comment ISO
+-@deftp {Data Type} wctrans_t
+-This data type is defined as a scalar type which can hold a value
+-representing the locale-dependent character mapping.  There is no way to
+-construct such a value apart from using the return value of the
+-@code{wctrans} function.
+-
+-@pindex wctype.h
+-@noindent
+-This type is defined in @file{wctype.h}.
+-@end deftp
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wctrans_t wctrans (const char *@var{property})
+-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+-The @code{wctrans} function has to be used to find out whether a named
+-mapping is defined in the current locale selected for the
+-@code{LC_CTYPE} category.  If the returned value is non-zero, you can use
+-it afterwards in calls to @code{towctrans}.  If the return value is
+-zero no such mapping is known in the current locale.
+-
+-Beside locale-specific mappings there are two mappings which are
+-guaranteed to be available in every locale:
+-
+-@multitable @columnfractions .5 .5
+-@item
+-@code{"tolower"} @tab @code{"toupper"}
+-@end multitable
+-
+-@pindex wctype.h
+-@noindent
+-These functions are declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+-@code{towctrans} maps the input character @var{wc}
+-according to the rules of the mapping for which @var{desc} is a
+-descriptor, and returns the value it finds.  @var{desc} must be
+-obtained by a successful call to @code{wctrans}.
+-
+-@pindex wctype.h
+-@noindent
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-For the generally available mappings, the @w{ISO C} standard defines
+-convenient shortcuts so that it is not necessary to call @code{wctrans}
+-for them.
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wint_t towlower (wint_t @var{wc})
+-If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
+-lower-case letter.  If @var{wc} is not an upper-case letter,
+-@var{wc} is returned unchanged.
+-
+-@noindent
+-@code{towlower} can be implemented using
+-
+-@smallexample
+-towctrans (wc, wctrans ("tolower"))
+-@end smallexample
+-
+-@pindex wctype.h
+-@noindent
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-@comment wctype.h
+-@comment ISO
+-@deftypefun wint_t towupper (wint_t @var{wc})
+-If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
+-upper-case letter.  Otherwise @var{wc} is returned unchanged.
+-
+-@noindent
+-@code{towupper} can be implemented using
+-
+-@smallexample
+-towctrans (wc, wctrans ("toupper"))
+-@end smallexample
+-
+-@pindex wctype.h
+-@noindent
+-This function is declared in @file{wctype.h}.
+-@end deftypefun
+-
+-The same warnings given in the last section for the use of the wide
+-character classification functions apply here.  It is not possible to
+-simply cast a @code{char} type value to a @code{wint_t} and use it as an
+-argument to @code{towctrans} calls.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=db2ee3a6f7f5658cf70172ca995df47e3b27c3a0

commit db2ee3a6f7f5658cf70172ca995df47e3b27c3a0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:43:21 2013 -0300

    Refresh of manual-document-mt-safety-ctype.patch

diff --git a/manual/ctype.texi b/manual/ctype.texi
deleted file mode 100644
index f05d509..0000000
--- a/manual/ctype.texi
+++ /dev/null
@@ -1,772 +0,0 @@
-@node Character Handling, String and Array Utilities, Memory, Top
-@c %MENU% Character testing and conversion functions
-@chapter Character Handling
-
-Programs that work with characters and strings often need to classify a
-character---is it alphabetic, is it a digit, is it whitespace, and so
-on---and perform case conversion operations on characters.  The
-functions in the header file @file{ctype.h} are provided for this
-purpose.
-@pindex ctype.h
-
-Since the choice of locale and character set can alter the
-classifications of particular character codes, all of these functions
-are affected by the current locale.  (More precisely, they are affected
-by the locale currently selected for character classification---the
-@code{LC_CTYPE} category; see @ref{Locale Categories}.)
-
-The @w{ISO C} standard specifies two different sets of functions.  The
-one set works on @code{char} type characters, the other one on
-@code{wchar_t} wide characters (@pxref{Extended Char Intro}).
-
-@menu
-* Classification of Characters::       Testing whether characters are
-			                letters, digits, punctuation, etc.
-
-* Case Conversion::                    Case mapping, and the like.
-* Classification of Wide Characters::  Character class determination for
-                                        wide characters.
-* Using Wide Char Classes::            Notes on using the wide character
-                                        classes.
-* Wide Character Case Conversion::     Mapping of wide characters.
-@end menu
-
-@node Classification of Characters, Case Conversion,  , Character Handling
-@section Classification of Characters
-@cindex character testing
-@cindex classification of characters
-@cindex predicates on characters
-@cindex character predicates
-
-This section explains the library functions for classifying characters.
-For example, @code{isalpha} is the function to test for an alphabetic
-character.  It takes one argument, the character to test, and returns a
-nonzero integer if the character is alphabetic, and zero otherwise.  You
-would use it like this:
-
-@smallexample
-if (isalpha (c))
-  printf ("The character `%c' is alphabetic.\n", c);
-@end smallexample
-
-Each of the functions in this section tests for membership in a
-particular class of characters; each has a name starting with @samp{is}.
-Each of them takes one argument, which is a character to test, and
-returns an @code{int} which is treated as a boolean value.  The
-character argument is passed as an @code{int}, and it may be the
-constant value @code{EOF} instead of a real character.
-
-The attributes of any given character can vary between locales.
-@xref{Locales}, for more information on locales.@refill
-
-These functions are declared in the header file @file{ctype.h}.
-@pindex ctype.h
-
-@cindex lower-case character
-@comment ctype.h
-@comment ISO
-@deftypefun int islower (int @var{c})
-Returns true if @var{c} is a lower-case letter.  The letter need not be
-from the Latin alphabet, any alphabet representable is valid.
-@end deftypefun
-
-@cindex upper-case character
-@comment ctype.h
-@comment ISO
-@deftypefun int isupper (int @var{c})
-Returns true if @var{c} is an upper-case letter.  The letter need not be
-from the Latin alphabet, any alphabet representable is valid.
-@end deftypefun
-
-@cindex alphabetic character
-@comment ctype.h
-@comment ISO
-@deftypefun int isalpha (int @var{c})
-Returns true if @var{c} is an alphabetic character (a letter).  If
-@code{islower} or @code{isupper} is true of a character, then
-@code{isalpha} is also true.
-
-In some locales, there may be additional characters for which
-@code{isalpha} is true---letters which are neither upper case nor lower
-case.  But in the standard @code{"C"} locale, there are no such
-additional characters.
-@end deftypefun
-
-@cindex digit character
-@cindex decimal digit character
-@comment ctype.h
-@comment ISO
-@deftypefun int isdigit (int @var{c})
-Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
-@end deftypefun
-
-@cindex alphanumeric character
-@comment ctype.h
-@comment ISO
-@deftypefun int isalnum (int @var{c})
-Returns true if @var{c} is an alphanumeric character (a letter or
-number); in other words, if either @code{isalpha} or @code{isdigit} is
-true of a character, then @code{isalnum} is also true.
-@end deftypefun
-
-@cindex hexadecimal digit character
-@comment ctype.h
-@comment ISO
-@deftypefun int isxdigit (int @var{c})
-Returns true if @var{c} is a hexadecimal digit.
-Hexadecimal digits include the normal decimal digits @samp{0} through
-@samp{9} and the letters @samp{A} through @samp{F} and
-@samp{a} through @samp{f}.
-@end deftypefun
-
-@cindex punctuation character
-@comment ctype.h
-@comment ISO
-@deftypefun int ispunct (int @var{c})
-Returns true if @var{c} is a punctuation character.
-This means any printing character that is not alphanumeric or a space
-character.
-@end deftypefun
-
-@cindex whitespace character
-@comment ctype.h
-@comment ISO
-@deftypefun int isspace (int @var{c})
-Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
-@code{"C"} locale, @code{isspace} returns true for only the standard
-whitespace characters:
-
-@table @code
-@item ' '
-space
-
-@item '\f'
-formfeed
-
-@item '\n'
-newline
-
-@item '\r'
-carriage return
-
-@item '\t'
-horizontal tab
-
-@item '\v'
-vertical tab
-@end table
-@end deftypefun
-
-@cindex blank character
-@comment ctype.h
-@comment ISO
-@deftypefun int isblank (int @var{c})
-Returns true if @var{c} is a blank character; that is, a space or a tab.
-This function was originally a GNU extension, but was added in @w{ISO C99}.
-@end deftypefun
-
-@cindex graphic character
-@comment ctype.h
-@comment ISO
-@deftypefun int isgraph (int @var{c})
-Returns true if @var{c} is a graphic character; that is, a character
-that has a glyph associated with it.  The whitespace characters are not
-considered graphic.
-@end deftypefun
-
-@cindex printing character
-@comment ctype.h
-@comment ISO
-@deftypefun int isprint (int @var{c})
-Returns true if @var{c} is a printing character.  Printing characters
-include all the graphic characters, plus the space (@samp{ }) character.
-@end deftypefun
-
-@cindex control character
-@comment ctype.h
-@comment ISO
-@deftypefun int iscntrl (int @var{c})
-Returns true if @var{c} is a control character (that is, a character that
-is not a printing character).
-@end deftypefun
-
-@cindex ASCII character
-@comment ctype.h
-@comment SVID, BSD
-@deftypefun int isascii (int @var{c})
-Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
-into the US/UK ASCII character set.  This function is a BSD extension
-and is also an SVID extension.
-@end deftypefun
-
-@node Case Conversion, Classification of Wide Characters, Classification of Characters, Character Handling
-@section Case Conversion
-@cindex character case conversion
-@cindex case conversion of characters
-@cindex converting case of characters
-
-This section explains the library functions for performing conversions
-such as case mappings on characters.  For example, @code{toupper}
-converts any character to upper case if possible.  If the character
-can't be converted, @code{toupper} returns it unchanged.
-
-These functions take one argument of type @code{int}, which is the
-character to convert, and return the converted character as an
-@code{int}.  If the conversion is not applicable to the argument given,
-the argument is returned unchanged.
-
-@strong{Compatibility Note:} In pre-@w{ISO C} dialects, instead of
-returning the argument unchanged, these functions may fail when the
-argument is not suitable for the conversion.  Thus for portability, you
-may need to write @code{islower(c) ? toupper(c) : c} rather than just
-@code{toupper(c)}.
-
-These functions are declared in the header file @file{ctype.h}.
-@pindex ctype.h
-
-@comment ctype.h
-@comment ISO
-@deftypefun int tolower (int @var{c})
-If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
-lower-case letter.  If @var{c} is not an upper-case letter,
-@var{c} is returned unchanged.
-@end deftypefun
-
-@comment ctype.h
-@comment ISO
-@deftypefun int toupper (int @var{c})
-If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
-upper-case letter.  Otherwise @var{c} is returned unchanged.
-@end deftypefun
-
-@comment ctype.h
-@comment SVID, BSD
-@deftypefun int toascii (int @var{c})
-This function converts @var{c} to a 7-bit @code{unsigned char} value
-that fits into the US/UK ASCII character set, by clearing the high-order
-bits.  This function is a BSD extension and is also an SVID extension.
-@end deftypefun
-
-@comment ctype.h
-@comment SVID
-@deftypefun int _tolower (int @var{c})
-This is identical to @code{tolower}, and is provided for compatibility
-with the SVID.  @xref{SVID}.@refill
-@end deftypefun
-
-@comment ctype.h
-@comment SVID
-@deftypefun int _toupper (int @var{c})
-This is identical to @code{toupper}, and is provided for compatibility
-with the SVID.
-@end deftypefun
-
-
-@node Classification of Wide Characters, Using Wide Char Classes, Case Conversion, Character Handling
-@section Character class determination for wide characters
-
-@w{Amendment 1} to @w{ISO C90} defines functions to classify wide
-characters.  Although the original @w{ISO C90} standard already defined
-the type @code{wchar_t}, no functions operating on them were defined.
-
-The general design of the classification functions for wide characters
-is more general.  It allows extensions to the set of available
-classifications, beyond those which are always available.  The POSIX
-standard specifies how extensions can be made, and this is already
-implemented in the @glibcadj{} implementation of the @code{localedef}
-program.
-
-The character class functions are normally implemented with bitsets,
-with a bitset per character.  For a given character, the appropriate
-bitset is read from a table and a test is performed as to whether a
-certain bit is set.  Which bit is tested for is determined by the
-class.
-
-For the wide character classification functions this is made visible.
-There is a type classification type defined, a function to retrieve this
-value for a given class, and a function to test whether a given
-character is in this class, using the classification value.  On top of
-this the normal character classification functions as used for
-@code{char} objects can be defined.
-
-@comment wctype.h
-@comment ISO
-@deftp {Data type} wctype_t
-The @code{wctype_t} can hold a value which represents a character class.
-The only defined way to generate such a value is by using the
-@code{wctype} function.
-
-@pindex wctype.h
-This type is defined in @file{wctype.h}.
-@end deftp
-
-@comment wctype.h
-@comment ISO
-@deftypefun wctype_t wctype (const char *@var{property})
-The @code{wctype} returns a value representing a class of wide
-characters which is identified by the string @var{property}.  Beside
-some standard properties each locale can define its own ones.  In case
-no property with the given name is known for the current locale
-selected for the @code{LC_CTYPE} category, the function returns zero.
-
-@noindent
-The properties known in every locale are:
-
-@multitable @columnfractions .25 .25 .25 .25
-@item
-@code{"alnum"} @tab @code{"alpha"} @tab @code{"cntrl"} @tab @code{"digit"}
-@item
-@code{"graph"} @tab @code{"lower"} @tab @code{"print"} @tab @code{"punct"}
-@item
-@code{"space"} @tab @code{"upper"} @tab @code{"xdigit"}
-@end multitable
-
-@pindex wctype.h
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-To test the membership of a character to one of the non-standard classes
-the @w{ISO C} standard defines a completely new function.
-
-@comment wctype.h
-@comment ISO
-@deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
-This function returns a nonzero value if @var{wc} is in the character
-class specified by @var{desc}.  @var{desc} must previously be returned
-by a successful call to @code{wctype}.
-
-@pindex wctype.h
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-To make it easier to use the commonly-used classification functions,
-they are defined in the C library.  There is no need to use
-@code{wctype} if the property string is one of the known character
-classes.  In some situations it is desirable to construct the property
-strings, and then it is important that @code{wctype} can also handle the
-standard classes.
-
-@cindex alphanumeric character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswalnum (wint_t @var{wc})
-This function returns a nonzero value if @var{wc} is an alphanumeric
-character (a letter or number); in other words, if either @code{iswalpha}
-or @code{iswdigit} is true of a character, then @code{iswalnum} is also
-true.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("alnum"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex alphabetic character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswalpha (wint_t @var{wc})
-Returns true if @var{wc} is an alphabetic character (a letter).  If
-@code{iswlower} or @code{iswupper} is true of a character, then
-@code{iswalpha} is also true.
-
-In some locales, there may be additional characters for which
-@code{iswalpha} is true---letters which are neither upper case nor lower
-case.  But in the standard @code{"C"} locale, there are no such
-additional characters.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("alpha"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex control character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswcntrl (wint_t @var{wc})
-Returns true if @var{wc} is a control character (that is, a character that
-is not a printing character).
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("cntrl"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex digit character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswdigit (wint_t @var{wc})
-Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
-Please note that this function does not only return a nonzero value for
-@emph{decimal} digits, but for all kinds of digits.  A consequence is
-that code like the following will @strong{not} work unconditionally for
-wide characters:
-
-@smallexample
-n = 0;
-while (iswdigit (*wc))
-  @{
-    n *= 10;
-    n += *wc++ - L'0';
-  @}
-@end smallexample
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("digit"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex graphic character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswgraph (wint_t @var{wc})
-Returns true if @var{wc} is a graphic character; that is, a character
-that has a glyph associated with it.  The whitespace characters are not
-considered graphic.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("graph"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex lower-case character
-@comment ctype.h
-@comment ISO
-@deftypefun int iswlower (wint_t @var{wc})
-Returns true if @var{wc} is a lower-case letter.  The letter need not be
-from the Latin alphabet, any alphabet representable is valid.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("lower"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex printing character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswprint (wint_t @var{wc})
-Returns true if @var{wc} is a printing character.  Printing characters
-include all the graphic characters, plus the space (@samp{ }) character.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("print"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex punctuation character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswpunct (wint_t @var{wc})
-Returns true if @var{wc} is a punctuation character.
-This means any printing character that is not alphanumeric or a space
-character.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("punct"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex whitespace character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswspace (wint_t @var{wc})
-Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
-@code{"C"} locale, @code{iswspace} returns true for only the standard
-whitespace characters:
-
-@table @code
-@item L' '
-space
-
-@item L'\f'
-formfeed
-
-@item L'\n'
-newline
-
-@item L'\r'
-carriage return
-
-@item L'\t'
-horizontal tab
-
-@item L'\v'
-vertical tab
-@end table
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("space"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex upper-case character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswupper (wint_t @var{wc})
-Returns true if @var{wc} is an upper-case letter.  The letter need not be
-from the Latin alphabet, any alphabet representable is valid.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("upper"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex hexadecimal digit character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswxdigit (wint_t @var{wc})
-Returns true if @var{wc} is a hexadecimal digit.
-Hexadecimal digits include the normal decimal digits @samp{0} through
-@samp{9} and the letters @samp{A} through @samp{F} and
-@samp{a} through @samp{f}.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("xdigit"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@Theglibc{} also provides a function which is not defined in the
-@w{ISO C} standard but which is available as a version for single byte
-characters as well.
-
-@cindex blank character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswblank (wint_t @var{wc})
-Returns true if @var{wc} is a blank character; that is, a space or a tab.
-This function was originally a GNU extension, but was added in @w{ISO C99}.
-It is declared in @file{wchar.h}.
-@end deftypefun
-
-@node Using Wide Char Classes, Wide Character Case Conversion, Classification of Wide Characters, Character Handling
-@section Notes on using the wide character classes
-
-The first note is probably not astonishing but still occasionally a
-cause of problems.  The @code{isw@var{XXX}} functions can be implemented
-using macros and in fact, @theglibc{} does this.  They are still
-available as real functions but when the @file{wctype.h} header is
-included the macros will be used.  This is the same as the
-@code{char} type versions of these functions.
-
-The second note covers something new.  It can be best illustrated by a
-(real-world) example.  The first piece of code is an excerpt from the
-original code.  It is truncated a bit but the intention should be clear.
-
-@smallexample
-int
-is_in_class (int c, const char *class)
-@{
-  if (strcmp (class, "alnum") == 0)
-    return isalnum (c);
-  if (strcmp (class, "alpha") == 0)
-    return isalpha (c);
-  if (strcmp (class, "cntrl") == 0)
-    return iscntrl (c);
-  @dots{}
-  return 0;
-@}
-@end smallexample
-
-Now, with the @code{wctype} and @code{iswctype} you can avoid the
-@code{if} cascades, but rewriting the code as follows is wrong:
-
-@smallexample
-int
-is_in_class (int c, const char *class)
-@{
-  wctype_t desc = wctype (class);
-  return desc ? iswctype ((wint_t) c, desc) : 0;
-@}
-@end smallexample
-
-The problem is that it is not guaranteed that the wide character
-representation of a single-byte character can be found using casting.
-In fact, usually this fails miserably.  The correct solution to this
-problem is to write the code as follows:
-
-@smallexample
-int
-is_in_class (int c, const char *class)
-@{
-  wctype_t desc = wctype (class);
-  return desc ? iswctype (btowc (c), desc) : 0;
-@}
-@end smallexample
-
-@xref{Converting a Character}, for more information on @code{btowc}.
-Note that this change probably does not improve the performance
-of the program a lot since the @code{wctype} function still has to make
-the string comparisons.  It gets really interesting if the
-@code{is_in_class} function is called more than once for the
-same class name.  In this case the variable @var{desc} could be computed
-once and reused for all the calls.  Therefore the above form of the
-function is probably not the final one.
-
-
-@node Wide Character Case Conversion, , Using Wide Char Classes, Character Handling
-@section Mapping of wide characters.
-
-The classification functions are also generalized by the @w{ISO C}
-standard.  Instead of just allowing the two standard mappings, a
-locale can contain others.  Again, the @code{localedef} program
-already supports generating such locale data files.
-
-@comment wctype.h
-@comment ISO
-@deftp {Data Type} wctrans_t
-This data type is defined as a scalar type which can hold a value
-representing the locale-dependent character mapping.  There is no way to
-construct such a value apart from using the return value of the
-@code{wctrans} function.
-
-@pindex wctype.h
-@noindent
-This type is defined in @file{wctype.h}.
-@end deftp
-
-@comment wctype.h
-@comment ISO
-@deftypefun wctrans_t wctrans (const char *@var{property})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
-The @code{wctrans} function has to be used to find out whether a named
-mapping is defined in the current locale selected for the
-@code{LC_CTYPE} category.  If the returned value is non-zero, you can use
-it afterwards in calls to @code{towctrans}.  If the return value is
-zero no such mapping is known in the current locale.
-
-Beside locale-specific mappings there are two mappings which are
-guaranteed to be available in every locale:
-
-@multitable @columnfractions .5 .5
-@item
-@code{"tolower"} @tab @code{"toupper"}
-@end multitable
-
-@pindex wctype.h
-@noindent
-These functions are declared in @file{wctype.h}.
-@end deftypefun
-
-@comment wctype.h
-@comment ISO
-@deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
-@code{towctrans} maps the input character @var{wc}
-according to the rules of the mapping for which @var{desc} is a
-descriptor, and returns the value it finds.  @var{desc} must be
-obtained by a successful call to @code{wctrans}.
-
-@pindex wctype.h
-@noindent
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-For the generally available mappings, the @w{ISO C} standard defines
-convenient shortcuts so that it is not necessary to call @code{wctrans}
-for them.
-
-@comment wctype.h
-@comment ISO
-@deftypefun wint_t towlower (wint_t @var{wc})
-If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
-lower-case letter.  If @var{wc} is not an upper-case letter,
-@var{wc} is returned unchanged.
-
-@noindent
-@code{towlower} can be implemented using
-
-@smallexample
-towctrans (wc, wctrans ("tolower"))
-@end smallexample
-
-@pindex wctype.h
-@noindent
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-@comment wctype.h
-@comment ISO
-@deftypefun wint_t towupper (wint_t @var{wc})
-If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
-upper-case letter.  Otherwise @var{wc} is returned unchanged.
-
-@noindent
-@code{towupper} can be implemented using
-
-@smallexample
-towctrans (wc, wctrans ("toupper"))
-@end smallexample
-
-@pindex wctype.h
-@noindent
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-The same warnings given in the last section for the use of the wide
-character classification functions apply here.  It is not possible to
-simply cast a @code{char} type value to a @code{wint_t} and use it as an
-argument to @code{towctrans} calls.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fa0e164579ef7d32d41b16568c2074df2d84ea0d

commit fa0e164579ef7d32d41b16568c2074df2d84ea0d
Merge: 0c6b51e cbc4be3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:40:18 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0c6b51ef21491ce02925e57be1ad62a3092f80bd

commit 0c6b51ef21491ce02925e57be1ad62a3092f80bd
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:40:18 2013 -0300

    pop

diff --git a/meta b/meta
index ef3aba8..67da860 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: baea205847066607047dd828d088c2a21b4fe579
-Head: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
+Previous: cbc4be3ddd767d1a801d3f67429eac5fff0e8967
+Head: fbb71ce3cced40f87c25964011852d114f327c36
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: fbb71ce3cced40f87c25964011852d114f327c36
-  manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Unapplied:
+  manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=cbc4be3ddd767d1a801d3f67429eac5fff0e8967

commit cbc4be3ddd767d1a801d3f67429eac5fff0e8967
Merge: 2d1d41c baea205
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:40:14 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2d1d41c7d1961ee9a8f9af4f26f29cabeb0e9b14

commit 2d1d41c7d1961ee9a8f9af4f26f29cabeb0e9b14
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:40:14 2013 -0300

    push

diff --git a/meta b/meta
index a20a64c..ef3aba8 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 379d50f1e70eccec6d2d0ac9d0dd082a9b27a50e
-Head: fbb71ce3cced40f87c25964011852d114f327c36
+Previous: baea205847066607047dd828d088c2a21b4fe579
+Head: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: fbb71ce3cced40f87c25964011852d114f327c36
-Unapplied:
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
+Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=baea205847066607047dd828d088c2a21b4fe579

commit baea205847066607047dd828d088c2a21b4fe579
Merge: e1993fd 379d50f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:40:09 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e1993fd328095ec2bac2ce9d8c27be4419a1e6db

commit e1993fd328095ec2bac2ce9d8c27be4419a1e6db
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:40:09 2013 -0300

    pop

diff --git a/meta b/meta
index e28cb54..a20a64c 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 68ad03a2bd4e779f8534fbbf955a2379d7675d61
-Head: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
+Previous: 379d50f1e70eccec6d2d0ac9d0dd082a9b27a50e
+Head: fbb71ce3cced40f87c25964011852d114f327c36
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: fbb71ce3cced40f87c25964011852d114f327c36
-  manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Unapplied:
+  manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=379d50f1e70eccec6d2d0ac9d0dd082a9b27a50e

commit 379d50f1e70eccec6d2d0ac9d0dd082a9b27a50e
Merge: 4299902 68ad03a
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:40:06 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=429990230516f6434579b7a3523a920be3eec486

commit 429990230516f6434579b7a3523a920be3eec486
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:40:06 2013 -0300

    push

diff --git a/meta b/meta
index f078157..e28cb54 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: 8d732b6a6019c8134449d0fd5d3cec94a3afe753
-Head: fbb71ce3cced40f87c25964011852d114f327c36
+Previous: 68ad03a2bd4e779f8534fbbf955a2379d7675d61
+Head: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype.patch: fbb71ce3cced40f87c25964011852d114f327c36
-Unapplied:
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
+Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=68ad03a2bd4e779f8534fbbf955a2379d7675d61

commit 68ad03a2bd4e779f8534fbbf955a2379d7675d61
Merge: be19042 8d732b6
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:39:49 2013 -0300

    rename


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=be19042545f83d50cbda072f3aaa8a179076107c

commit be19042545f83d50cbda072f3aaa8a179076107c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:39:49 2013 -0300

    rename

diff --git a/meta b/meta
index c571acf..f078157 100644
--- a/meta
+++ b/meta
@@ -1,5 +1,5 @@
 Version: 1
-Previous: 7ed2a05df36796dedeb1b73c973d17de5092684f
+Previous: 8d732b6a6019c8134449d0fd5d3cec94a3afe753
 Head: fbb71ce3cced40f87c25964011852d114f327c36
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
@@ -9,7 +9,7 @@ Applied:
   manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
-  manual-document-mt-safety-ctype-wip.patch: fbb71ce3cced40f87c25964011852d114f327c36
+  manual-document-mt-safety-ctype.patch: fbb71ce3cced40f87c25964011852d114f327c36
 Unapplied:
   manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:
diff --git a/patches/manual-document-mt-safety-ctype-wip.patch b/patches/manual-document-mt-safety-ctype.patch
similarity index 100%
rename from patches/manual-document-mt-safety-ctype-wip.patch
rename to patches/manual-document-mt-safety-ctype.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8d732b6a6019c8134449d0fd5d3cec94a3afe753

commit 8d732b6a6019c8134449d0fd5d3cec94a3afe753
Merge: 9836204 7ed2a05
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:38:56 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=98362048fdc4833994d62eadfdffa043cbb98bde

commit 98362048fdc4833994d62eadfdffa043cbb98bde
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 21:38:56 2013 -0300

    pop

diff --git a/meta b/meta
index d70635d..c571acf 100644
--- a/meta
+++ b/meta
@@ -1,6 +1,6 @@
 Version: 1
-Previous: b0ce064083475ab914baa5244960e369cf0a2e10
-Head: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
+Previous: 7ed2a05df36796dedeb1b73c973d17de5092684f
+Head: fbb71ce3cced40f87c25964011852d114f327c36
 Applied:
   manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
   powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
@@ -10,6 +10,6 @@ Applied:
   manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
   manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
   manual-document-mt-safety-ctype-wip.patch: fbb71ce3cced40f87c25964011852d114f327c36
-  manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Unapplied:
+  manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e

commit 1ae8e2eabd22a74ff8a80a4b565df5b4c36fe12e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,6 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -730,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -749,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fbb71ce3cced40f87c25964011852d114f327c36

commit fbb71ce3cced40f87c25964011852d114f327c36
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..f05d509 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -691,6 +691,7 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +714,7 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b1da9d49b81e23d658de4369181599c33e3acd9e

commit b1da9d49b81e23d658de4369181599c33e3acd9e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
deleted file mode 100644
index 3d13571..0000000
--- a/manual/ctype.texi
+++ /dev/null
@@ -1,770 +0,0 @@
-@node Character Handling, String and Array Utilities, Memory, Top
-@c %MENU% Character testing and conversion functions
-@chapter Character Handling
-
-Programs that work with characters and strings often need to classify a
-character---is it alphabetic, is it a digit, is it whitespace, and so
-on---and perform case conversion operations on characters.  The
-functions in the header file @file{ctype.h} are provided for this
-purpose.
-@pindex ctype.h
-
-Since the choice of locale and character set can alter the
-classifications of particular character codes, all of these functions
-are affected by the current locale.  (More precisely, they are affected
-by the locale currently selected for character classification---the
-@code{LC_CTYPE} category; see @ref{Locale Categories}.)
-
-The @w{ISO C} standard specifies two different sets of functions.  The
-one set works on @code{char} type characters, the other one on
-@code{wchar_t} wide characters (@pxref{Extended Char Intro}).
-
-@menu
-* Classification of Characters::       Testing whether characters are
-			                letters, digits, punctuation, etc.
-
-* Case Conversion::                    Case mapping, and the like.
-* Classification of Wide Characters::  Character class determination for
-                                        wide characters.
-* Using Wide Char Classes::            Notes on using the wide character
-                                        classes.
-* Wide Character Case Conversion::     Mapping of wide characters.
-@end menu
-
-@node Classification of Characters, Case Conversion,  , Character Handling
-@section Classification of Characters
-@cindex character testing
-@cindex classification of characters
-@cindex predicates on characters
-@cindex character predicates
-
-This section explains the library functions for classifying characters.
-For example, @code{isalpha} is the function to test for an alphabetic
-character.  It takes one argument, the character to test, and returns a
-nonzero integer if the character is alphabetic, and zero otherwise.  You
-would use it like this:
-
-@smallexample
-if (isalpha (c))
-  printf ("The character `%c' is alphabetic.\n", c);
-@end smallexample
-
-Each of the functions in this section tests for membership in a
-particular class of characters; each has a name starting with @samp{is}.
-Each of them takes one argument, which is a character to test, and
-returns an @code{int} which is treated as a boolean value.  The
-character argument is passed as an @code{int}, and it may be the
-constant value @code{EOF} instead of a real character.
-
-The attributes of any given character can vary between locales.
-@xref{Locales}, for more information on locales.@refill
-
-These functions are declared in the header file @file{ctype.h}.
-@pindex ctype.h
-
-@cindex lower-case character
-@comment ctype.h
-@comment ISO
-@deftypefun int islower (int @var{c})
-Returns true if @var{c} is a lower-case letter.  The letter need not be
-from the Latin alphabet, any alphabet representable is valid.
-@end deftypefun
-
-@cindex upper-case character
-@comment ctype.h
-@comment ISO
-@deftypefun int isupper (int @var{c})
-Returns true if @var{c} is an upper-case letter.  The letter need not be
-from the Latin alphabet, any alphabet representable is valid.
-@end deftypefun
-
-@cindex alphabetic character
-@comment ctype.h
-@comment ISO
-@deftypefun int isalpha (int @var{c})
-Returns true if @var{c} is an alphabetic character (a letter).  If
-@code{islower} or @code{isupper} is true of a character, then
-@code{isalpha} is also true.
-
-In some locales, there may be additional characters for which
-@code{isalpha} is true---letters which are neither upper case nor lower
-case.  But in the standard @code{"C"} locale, there are no such
-additional characters.
-@end deftypefun
-
-@cindex digit character
-@cindex decimal digit character
-@comment ctype.h
-@comment ISO
-@deftypefun int isdigit (int @var{c})
-Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
-@end deftypefun
-
-@cindex alphanumeric character
-@comment ctype.h
-@comment ISO
-@deftypefun int isalnum (int @var{c})
-Returns true if @var{c} is an alphanumeric character (a letter or
-number); in other words, if either @code{isalpha} or @code{isdigit} is
-true of a character, then @code{isalnum} is also true.
-@end deftypefun
-
-@cindex hexadecimal digit character
-@comment ctype.h
-@comment ISO
-@deftypefun int isxdigit (int @var{c})
-Returns true if @var{c} is a hexadecimal digit.
-Hexadecimal digits include the normal decimal digits @samp{0} through
-@samp{9} and the letters @samp{A} through @samp{F} and
-@samp{a} through @samp{f}.
-@end deftypefun
-
-@cindex punctuation character
-@comment ctype.h
-@comment ISO
-@deftypefun int ispunct (int @var{c})
-Returns true if @var{c} is a punctuation character.
-This means any printing character that is not alphanumeric or a space
-character.
-@end deftypefun
-
-@cindex whitespace character
-@comment ctype.h
-@comment ISO
-@deftypefun int isspace (int @var{c})
-Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
-@code{"C"} locale, @code{isspace} returns true for only the standard
-whitespace characters:
-
-@table @code
-@item ' '
-space
-
-@item '\f'
-formfeed
-
-@item '\n'
-newline
-
-@item '\r'
-carriage return
-
-@item '\t'
-horizontal tab
-
-@item '\v'
-vertical tab
-@end table
-@end deftypefun
-
-@cindex blank character
-@comment ctype.h
-@comment ISO
-@deftypefun int isblank (int @var{c})
-Returns true if @var{c} is a blank character; that is, a space or a tab.
-This function was originally a GNU extension, but was added in @w{ISO C99}.
-@end deftypefun
-
-@cindex graphic character
-@comment ctype.h
-@comment ISO
-@deftypefun int isgraph (int @var{c})
-Returns true if @var{c} is a graphic character; that is, a character
-that has a glyph associated with it.  The whitespace characters are not
-considered graphic.
-@end deftypefun
-
-@cindex printing character
-@comment ctype.h
-@comment ISO
-@deftypefun int isprint (int @var{c})
-Returns true if @var{c} is a printing character.  Printing characters
-include all the graphic characters, plus the space (@samp{ }) character.
-@end deftypefun
-
-@cindex control character
-@comment ctype.h
-@comment ISO
-@deftypefun int iscntrl (int @var{c})
-Returns true if @var{c} is a control character (that is, a character that
-is not a printing character).
-@end deftypefun
-
-@cindex ASCII character
-@comment ctype.h
-@comment SVID, BSD
-@deftypefun int isascii (int @var{c})
-Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
-into the US/UK ASCII character set.  This function is a BSD extension
-and is also an SVID extension.
-@end deftypefun
-
-@node Case Conversion, Classification of Wide Characters, Classification of Characters, Character Handling
-@section Case Conversion
-@cindex character case conversion
-@cindex case conversion of characters
-@cindex converting case of characters
-
-This section explains the library functions for performing conversions
-such as case mappings on characters.  For example, @code{toupper}
-converts any character to upper case if possible.  If the character
-can't be converted, @code{toupper} returns it unchanged.
-
-These functions take one argument of type @code{int}, which is the
-character to convert, and return the converted character as an
-@code{int}.  If the conversion is not applicable to the argument given,
-the argument is returned unchanged.
-
-@strong{Compatibility Note:} In pre-@w{ISO C} dialects, instead of
-returning the argument unchanged, these functions may fail when the
-argument is not suitable for the conversion.  Thus for portability, you
-may need to write @code{islower(c) ? toupper(c) : c} rather than just
-@code{toupper(c)}.
-
-These functions are declared in the header file @file{ctype.h}.
-@pindex ctype.h
-
-@comment ctype.h
-@comment ISO
-@deftypefun int tolower (int @var{c})
-If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
-lower-case letter.  If @var{c} is not an upper-case letter,
-@var{c} is returned unchanged.
-@end deftypefun
-
-@comment ctype.h
-@comment ISO
-@deftypefun int toupper (int @var{c})
-If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
-upper-case letter.  Otherwise @var{c} is returned unchanged.
-@end deftypefun
-
-@comment ctype.h
-@comment SVID, BSD
-@deftypefun int toascii (int @var{c})
-This function converts @var{c} to a 7-bit @code{unsigned char} value
-that fits into the US/UK ASCII character set, by clearing the high-order
-bits.  This function is a BSD extension and is also an SVID extension.
-@end deftypefun
-
-@comment ctype.h
-@comment SVID
-@deftypefun int _tolower (int @var{c})
-This is identical to @code{tolower}, and is provided for compatibility
-with the SVID.  @xref{SVID}.@refill
-@end deftypefun
-
-@comment ctype.h
-@comment SVID
-@deftypefun int _toupper (int @var{c})
-This is identical to @code{toupper}, and is provided for compatibility
-with the SVID.
-@end deftypefun
-
-
-@node Classification of Wide Characters, Using Wide Char Classes, Case Conversion, Character Handling
-@section Character class determination for wide characters
-
-@w{Amendment 1} to @w{ISO C90} defines functions to classify wide
-characters.  Although the original @w{ISO C90} standard already defined
-the type @code{wchar_t}, no functions operating on them were defined.
-
-The general design of the classification functions for wide characters
-is more general.  It allows extensions to the set of available
-classifications, beyond those which are always available.  The POSIX
-standard specifies how extensions can be made, and this is already
-implemented in the @glibcadj{} implementation of the @code{localedef}
-program.
-
-The character class functions are normally implemented with bitsets,
-with a bitset per character.  For a given character, the appropriate
-bitset is read from a table and a test is performed as to whether a
-certain bit is set.  Which bit is tested for is determined by the
-class.
-
-For the wide character classification functions this is made visible.
-There is a type classification type defined, a function to retrieve this
-value for a given class, and a function to test whether a given
-character is in this class, using the classification value.  On top of
-this the normal character classification functions as used for
-@code{char} objects can be defined.
-
-@comment wctype.h
-@comment ISO
-@deftp {Data type} wctype_t
-The @code{wctype_t} can hold a value which represents a character class.
-The only defined way to generate such a value is by using the
-@code{wctype} function.
-
-@pindex wctype.h
-This type is defined in @file{wctype.h}.
-@end deftp
-
-@comment wctype.h
-@comment ISO
-@deftypefun wctype_t wctype (const char *@var{property})
-The @code{wctype} returns a value representing a class of wide
-characters which is identified by the string @var{property}.  Beside
-some standard properties each locale can define its own ones.  In case
-no property with the given name is known for the current locale
-selected for the @code{LC_CTYPE} category, the function returns zero.
-
-@noindent
-The properties known in every locale are:
-
-@multitable @columnfractions .25 .25 .25 .25
-@item
-@code{"alnum"} @tab @code{"alpha"} @tab @code{"cntrl"} @tab @code{"digit"}
-@item
-@code{"graph"} @tab @code{"lower"} @tab @code{"print"} @tab @code{"punct"}
-@item
-@code{"space"} @tab @code{"upper"} @tab @code{"xdigit"}
-@end multitable
-
-@pindex wctype.h
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-To test the membership of a character to one of the non-standard classes
-the @w{ISO C} standard defines a completely new function.
-
-@comment wctype.h
-@comment ISO
-@deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
-This function returns a nonzero value if @var{wc} is in the character
-class specified by @var{desc}.  @var{desc} must previously be returned
-by a successful call to @code{wctype}.
-
-@pindex wctype.h
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-To make it easier to use the commonly-used classification functions,
-they are defined in the C library.  There is no need to use
-@code{wctype} if the property string is one of the known character
-classes.  In some situations it is desirable to construct the property
-strings, and then it is important that @code{wctype} can also handle the
-standard classes.
-
-@cindex alphanumeric character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswalnum (wint_t @var{wc})
-This function returns a nonzero value if @var{wc} is an alphanumeric
-character (a letter or number); in other words, if either @code{iswalpha}
-or @code{iswdigit} is true of a character, then @code{iswalnum} is also
-true.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("alnum"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex alphabetic character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswalpha (wint_t @var{wc})
-Returns true if @var{wc} is an alphabetic character (a letter).  If
-@code{iswlower} or @code{iswupper} is true of a character, then
-@code{iswalpha} is also true.
-
-In some locales, there may be additional characters for which
-@code{iswalpha} is true---letters which are neither upper case nor lower
-case.  But in the standard @code{"C"} locale, there are no such
-additional characters.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("alpha"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex control character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswcntrl (wint_t @var{wc})
-Returns true if @var{wc} is a control character (that is, a character that
-is not a printing character).
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("cntrl"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex digit character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswdigit (wint_t @var{wc})
-Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
-Please note that this function does not only return a nonzero value for
-@emph{decimal} digits, but for all kinds of digits.  A consequence is
-that code like the following will @strong{not} work unconditionally for
-wide characters:
-
-@smallexample
-n = 0;
-while (iswdigit (*wc))
-  @{
-    n *= 10;
-    n += *wc++ - L'0';
-  @}
-@end smallexample
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("digit"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex graphic character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswgraph (wint_t @var{wc})
-Returns true if @var{wc} is a graphic character; that is, a character
-that has a glyph associated with it.  The whitespace characters are not
-considered graphic.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("graph"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex lower-case character
-@comment ctype.h
-@comment ISO
-@deftypefun int iswlower (wint_t @var{wc})
-Returns true if @var{wc} is a lower-case letter.  The letter need not be
-from the Latin alphabet, any alphabet representable is valid.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("lower"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex printing character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswprint (wint_t @var{wc})
-Returns true if @var{wc} is a printing character.  Printing characters
-include all the graphic characters, plus the space (@samp{ }) character.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("print"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex punctuation character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswpunct (wint_t @var{wc})
-Returns true if @var{wc} is a punctuation character.
-This means any printing character that is not alphanumeric or a space
-character.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("punct"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex whitespace character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswspace (wint_t @var{wc})
-Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
-@code{"C"} locale, @code{iswspace} returns true for only the standard
-whitespace characters:
-
-@table @code
-@item L' '
-space
-
-@item L'\f'
-formfeed
-
-@item L'\n'
-newline
-
-@item L'\r'
-carriage return
-
-@item L'\t'
-horizontal tab
-
-@item L'\v'
-vertical tab
-@end table
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("space"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex upper-case character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswupper (wint_t @var{wc})
-Returns true if @var{wc} is an upper-case letter.  The letter need not be
-from the Latin alphabet, any alphabet representable is valid.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("upper"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@cindex hexadecimal digit character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswxdigit (wint_t @var{wc})
-Returns true if @var{wc} is a hexadecimal digit.
-Hexadecimal digits include the normal decimal digits @samp{0} through
-@samp{9} and the letters @samp{A} through @samp{F} and
-@samp{a} through @samp{f}.
-
-@noindent
-This function can be implemented using
-
-@smallexample
-iswctype (wc, wctype ("xdigit"))
-@end smallexample
-
-@pindex wctype.h
-It is declared in @file{wctype.h}.
-@end deftypefun
-
-@Theglibc{} also provides a function which is not defined in the
-@w{ISO C} standard but which is available as a version for single byte
-characters as well.
-
-@cindex blank character
-@comment wctype.h
-@comment ISO
-@deftypefun int iswblank (wint_t @var{wc})
-Returns true if @var{wc} is a blank character; that is, a space or a tab.
-This function was originally a GNU extension, but was added in @w{ISO C99}.
-It is declared in @file{wchar.h}.
-@end deftypefun
-
-@node Using Wide Char Classes, Wide Character Case Conversion, Classification of Wide Characters, Character Handling
-@section Notes on using the wide character classes
-
-The first note is probably not astonishing but still occasionally a
-cause of problems.  The @code{isw@var{XXX}} functions can be implemented
-using macros and in fact, @theglibc{} does this.  They are still
-available as real functions but when the @file{wctype.h} header is
-included the macros will be used.  This is the same as the
-@code{char} type versions of these functions.
-
-The second note covers something new.  It can be best illustrated by a
-(real-world) example.  The first piece of code is an excerpt from the
-original code.  It is truncated a bit but the intention should be clear.
-
-@smallexample
-int
-is_in_class (int c, const char *class)
-@{
-  if (strcmp (class, "alnum") == 0)
-    return isalnum (c);
-  if (strcmp (class, "alpha") == 0)
-    return isalpha (c);
-  if (strcmp (class, "cntrl") == 0)
-    return iscntrl (c);
-  @dots{}
-  return 0;
-@}
-@end smallexample
-
-Now, with the @code{wctype} and @code{iswctype} you can avoid the
-@code{if} cascades, but rewriting the code as follows is wrong:
-
-@smallexample
-int
-is_in_class (int c, const char *class)
-@{
-  wctype_t desc = wctype (class);
-  return desc ? iswctype ((wint_t) c, desc) : 0;
-@}
-@end smallexample
-
-The problem is that it is not guaranteed that the wide character
-representation of a single-byte character can be found using casting.
-In fact, usually this fails miserably.  The correct solution to this
-problem is to write the code as follows:
-
-@smallexample
-int
-is_in_class (int c, const char *class)
-@{
-  wctype_t desc = wctype (class);
-  return desc ? iswctype (btowc (c), desc) : 0;
-@}
-@end smallexample
-
-@xref{Converting a Character}, for more information on @code{btowc}.
-Note that this change probably does not improve the performance
-of the program a lot since the @code{wctype} function still has to make
-the string comparisons.  It gets really interesting if the
-@code{is_in_class} function is called more than once for the
-same class name.  In this case the variable @var{desc} could be computed
-once and reused for all the calls.  Therefore the above form of the
-function is probably not the final one.
-
-
-@node Wide Character Case Conversion, , Using Wide Char Classes, Character Handling
-@section Mapping of wide characters.
-
-The classification functions are also generalized by the @w{ISO C}
-standard.  Instead of just allowing the two standard mappings, a
-locale can contain others.  Again, the @code{localedef} program
-already supports generating such locale data files.
-
-@comment wctype.h
-@comment ISO
-@deftp {Data Type} wctrans_t
-This data type is defined as a scalar type which can hold a value
-representing the locale-dependent character mapping.  There is no way to
-construct such a value apart from using the return value of the
-@code{wctrans} function.
-
-@pindex wctype.h
-@noindent
-This type is defined in @file{wctype.h}.
-@end deftp
-
-@comment wctype.h
-@comment ISO
-@deftypefun wctrans_t wctrans (const char *@var{property})
-The @code{wctrans} function has to be used to find out whether a named
-mapping is defined in the current locale selected for the
-@code{LC_CTYPE} category.  If the returned value is non-zero, you can use
-it afterwards in calls to @code{towctrans}.  If the return value is
-zero no such mapping is known in the current locale.
-
-Beside locale-specific mappings there are two mappings which are
-guaranteed to be available in every locale:
-
-@multitable @columnfractions .5 .5
-@item
-@code{"tolower"} @tab @code{"toupper"}
-@end multitable
-
-@pindex wctype.h
-@noindent
-These functions are declared in @file{wctype.h}.
-@end deftypefun
-
-@comment wctype.h
-@comment ISO
-@deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
-@code{towctrans} maps the input character @var{wc}
-according to the rules of the mapping for which @var{desc} is a
-descriptor, and returns the value it finds.  @var{desc} must be
-obtained by a successful call to @code{wctrans}.
-
-@pindex wctype.h
-@noindent
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-For the generally available mappings, the @w{ISO C} standard defines
-convenient shortcuts so that it is not necessary to call @code{wctrans}
-for them.
-
-@comment wctype.h
-@comment ISO
-@deftypefun wint_t towlower (wint_t @var{wc})
-If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
-lower-case letter.  If @var{wc} is not an upper-case letter,
-@var{wc} is returned unchanged.
-
-@noindent
-@code{towlower} can be implemented using
-
-@smallexample
-towctrans (wc, wctrans ("tolower"))
-@end smallexample
-
-@pindex wctype.h
-@noindent
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-@comment wctype.h
-@comment ISO
-@deftypefun wint_t towupper (wint_t @var{wc})
-If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
-upper-case letter.  Otherwise @var{wc} is returned unchanged.
-
-@noindent
-@code{towupper} can be implemented using
-
-@smallexample
-towctrans (wc, wctrans ("toupper"))
-@end smallexample
-
-@pindex wctype.h
-@noindent
-This function is declared in @file{wctype.h}.
-@end deftypefun
-
-The same warnings given in the last section for the use of the wide
-character classification functions apply here.  It is not possible to
-simply cast a @code{char} type value to a @code{wint_t} and use it as an
-argument to @code{towctrans} calls.

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7ed2a05df36796dedeb1b73c973d17de5092684f

commit 7ed2a05df36796dedeb1b73c973d17de5092684f
Merge: 8dc671d b0ce064 ed7e9cc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    pull


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8dc671dd7896ddf29bae4235f187d282b8fa12b9

commit 8dc671dd7896ddf29bae4235f187d282b8fa12b9
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    pull

diff --git a/meta b/meta
index f58fa10..d70635d 100644
--- a/meta
+++ b/meta
@@ -1,15 +1,15 @@
 Version: 1
-Previous: 1105dbbfefb70928dddf6224c380ee647b74e574
-Head: 3877ab63574b2d23eac947fed521b7c3999c8d9f
+Previous: b0ce064083475ab914baa5244960e369cf0a2e10
+Head: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Applied:
-  manual-document-mt-safety.patch: efc461350d9249c7b45dd1711d026868b38f051c
-  powerpc-nofpu-sim-note-nothread.patch: 134de3fab35b91543080d25a276ab00593d15be7
-  unused-scalb-is-scalbn.patch: abc6d481de5aabe5a3a019a29cc747e55230600e
-  manual-document-mt-safety-arith.patch: e9e5cf9f32d9b8147c0c8097478f8d623709d917
-  manual-document-mt-safety-stdio.patch: d0a89c9db96cfa69b1e445b45d29ebb5d783b899
-  manual-document-mt-safety-locale.patch: b6d0a7e40695997390c967a9c1255fc1813c84b0
-  manual-document-mt-safety-math.patch: c9ff7cfa5b3b4eb6799616ecce3a99944b7642d3
-  manual-document-mt-safety-ctype-wip.patch: 59ba7a5b73180e9b6b3a8a780c794019f3b4fb8e
-  manual-document-mt-safety-wip.patch: 3877ab63574b2d23eac947fed521b7c3999c8d9f
+  manual-document-mt-safety.patch: f159288e81a5a769e1274527d307f82bd918d8e5
+  powerpc-nofpu-sim-note-nothread.patch: 6f9592e7a7e327deae62aae99a5238cfba2d572d
+  unused-scalb-is-scalbn.patch: 04381689562081fc1e2328e5807e0dc537c1c5fc
+  manual-document-mt-safety-arith.patch: b0aaf99a53ebe756b3b61930b0d42fd5b51dd71d
+  manual-document-mt-safety-stdio.patch: 49427f4017a13662522c4247e1eed08f867a3d73
+  manual-document-mt-safety-locale.patch: 0f17febc6eced1c8227402f12867a400ba58bd74
+  manual-document-mt-safety-math.patch: edeb8dbee9aa4cdef77764287545e16903acea6d
+  manual-document-mt-safety-ctype-wip.patch: fbb71ce3cced40f87c25964011852d114f327c36
+  manual-document-mt-safety-wip.patch: ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
 Unapplied:
 Hidden:
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 471af98..5f1c9c2 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,7 +1,7 @@
-Bottom: da0e6ebd226c97d69a880a83a3458d1290cb0a33
-Top:    2739c166ffd8b16196598bf6ae81a1eb59c5da67
+Bottom: 6c9a45167e9f148c725e5d962b1cd083292f0adf
+Top:    e75a47b5ad278b7f85e5420cd63cda069e0b7030
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-06-26 10:46:39 -0300
+Date:   2013-08-13 15:29:40 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-ctype-wip.patch b/patches/manual-document-mt-safety-ctype-wip.patch
index e2d64bc..9799a98 100644
--- a/patches/manual-document-mt-safety-ctype-wip.patch
+++ b/patches/manual-document-mt-safety-ctype-wip.patch
@@ -1,7 +1,7 @@
-Bottom: 78fe1791b80475e24bb082448c82b31a599bb2cd
-Top:    eda06e358bd7339a7b33c1798edc9038d99aafaf
+Bottom: 493d959bda4db41836ea91b2b9685b47ab733575
+Top:    1f38562405d3b5dadb8c27bd94ec1cba5a2481da
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-06-26 10:46:43 -0300
+Date:   2013-08-13 15:29:41 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-locale.patch b/patches/manual-document-mt-safety-locale.patch
index c5c4fa4..a5cc454 100644
--- a/patches/manual-document-mt-safety-locale.patch
+++ b/patches/manual-document-mt-safety-locale.patch
@@ -1,7 +1,7 @@
-Bottom: 7803afb16b44ea9e7a20effc6b009b4417ede858
-Top:    7ddaf06032faa5cbc050d572e2e304aee7a0a055
+Bottom: e394e37491899340294bfd977f43c098c558c2b1
+Top:    e7a76e5bc200b56429777851aab7bce4bcbb7c56
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-06-26 10:46:40 -0300
+Date:   2013-08-13 15:29:40 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index 79e98aa..ebdf1e4 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,7 +1,7 @@
-Bottom: 7ddaf06032faa5cbc050d572e2e304aee7a0a055
-Top:    78fe1791b80475e24bb082448c82b31a599bb2cd
+Bottom: e7a76e5bc200b56429777851aab7bce4bcbb7c56
+Top:    493d959bda4db41836ea91b2b9685b47ab733575
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-06-26 10:46:41 -0300
+Date:   2013-08-13 15:29:40 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index d0907aa..8aae437 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,7 +1,7 @@
-Bottom: 2739c166ffd8b16196598bf6ae81a1eb59c5da67
-Top:    7803afb16b44ea9e7a20effc6b009b4417ede858
+Bottom: e75a47b5ad278b7f85e5420cd63cda069e0b7030
+Top:    e394e37491899340294bfd977f43c098c558c2b1
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-06-26 10:46:40 -0300
+Date:   2013-08-13 15:29:40 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety-wip.patch b/patches/manual-document-mt-safety-wip.patch
index c9edc3e..83ac8f5 100644
--- a/patches/manual-document-mt-safety-wip.patch
+++ b/patches/manual-document-mt-safety-wip.patch
@@ -1,7 +1,7 @@
-Bottom: eda06e358bd7339a7b33c1798edc9038d99aafaf
-Top:    b3048f1f29a3cb611e8590355a732220e79312c6
+Bottom: 1f38562405d3b5dadb8c27bd94ec1cba5a2481da
+Top:    7472b1dd7a8cc8760b98cd08cb7f8418374249ed
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-06-26 10:46:48 -0300
+Date:   2013-08-13 15:29:41 -0300
 
 Thread safety documentation.
 
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index 66d3159..6bdec13 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,7 +1,7 @@
-Bottom: efed39b7ade4b9cbc21039a1156412424917f48d
-Top:    539050bc4b84d23577ed07dc19f9da5286a45dac
+Bottom: fde38f49e9ff8e251fc3a4c9a8d5f194ba6decbf
+Top:    f865586a6c7ce831d9285c15a3df95a5b593b24b
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-07-30 04:54:56 -0300
+Date:   2013-08-13 15:29:39 -0300
 
 Thread safety documentation.
 
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index c35921d..e415a47 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,7 +1,7 @@
-Bottom: 539050bc4b84d23577ed07dc19f9da5286a45dac
-Top:    4e74d806c3244a3036ccfd773571125e92181033
+Bottom: f865586a6c7ce831d9285c15a3df95a5b593b24b
+Top:    6ecb4948f5afac7b2e943164b461bf059c000127
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-06-26 10:46:36 -0300
+Date:   2013-08-13 15:29:39 -0300
 
 Note that powerpc fpu emulation status is not thread- or signal-safe.
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 4f1dac0..d6b66ee 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,7 +1,7 @@
-Bottom: 4e74d806c3244a3036ccfd773571125e92181033
-Top:    da0e6ebd226c97d69a880a83a3458d1290cb0a33
+Bottom: 6ecb4948f5afac7b2e943164b461bf059c000127
+Top:    6c9a45167e9f148c725e5d962b1cd083292f0adf
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-06-26 10:46:37 -0300
+Date:   2013-08-13 15:29:39 -0300
 
 Rename unused scalb to scalbn to match prototype.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85

commit ed7e9cc5265b17c5dc7dc5bcd72b7247ad574f85
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/???.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.
diff --git a/manual/arith.texi b/manual/arith.texi
index 833e0c9..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -323,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -359,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -373,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -384,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -395,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -2443,6 +2448,32 @@ as well.
 @safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
 @c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and
diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the
diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of
diff --git a/manual/ctype.texi b/manual/ctype.texi
index f05d509..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,7 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -714,7 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -732,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -751,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 
diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor
diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..2244025 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).  
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat
diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the
diff --git a/manual/intro.texi b/manual/intro.texi
index 2630a77..e47832c 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -262,6 +262,28 @@ if the effective thread-local locale is not the global locale object
 @code{setlocale} should not be called while these functions are active.
 
 
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
 @item @code{uunguard}
 @cindex uunguard
 
@@ -291,6 +313,42 @@ AS-Safe behavior, callers must ensure that the objects passed in are not
 modified concurrently by other threads or signal handlers.
 
 
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
 @end itemize
 
 
@@ -305,11 +363,37 @@ as follows:
 
 Functions annotated with @code{staticbuf} use internal static buffers or
 variables in ways that may cause concurrent calls to interfere
-destructively.
+destructively.  
 
 These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
 offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
 
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.  
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
 
 @item @code{fdleak}
 @cindex fdleak
@@ -390,9 +474,8 @@ For the reasons above, functions that leak locks are all AC-Unsafe.
 Functions marked with @code{selfdeadlock} take a non-recursive lock to
 ensure MT-Safety while modifying data structures guarded by the lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the result is a deadlock.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid a deadlock if any signal handler might need
@@ -406,10 +489,9 @@ Functions marked with @code{asynconsist} take a recursive lock to ensure
 MT-Safety while accessing or modifying data structures guarded by the
 lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the latter function may observe a partially updated,
-inconsistent data structure, and misbehave.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid the misbehavior that may ensue if any signal
@@ -444,6 +526,21 @@ Disabling asynchronous cancelation while calling such functions is the
 only safe way to avoid the misbehavior that may ensure if the thread is
 canceled while the function is running.
 
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
 
 @item @code{simfpu}
 @cindex simfpu
diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the
diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,
diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym
diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3
diff --git a/manual/locale.texi b/manual/locale.texi
index 323268d..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
-@safety{@mtunsafe{uunguard}}
-@c This function is MT-Safe, but uses of the global locale object are
-@c unguarded in functions that ought to be MT-Safe, so we're ruling out
-@c the use of this function once threads are started.
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.
diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with
diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 
diff --git a/manual/stdio.texi b/manual/stdio.texi
index 7809dd4..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 @c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
@@ -267,7 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
 @c After fclose, it is undefined behavior to use the stream it points
 @c to.  Therefore, one must only call fclose when the stream is
 @c otherwise unused.  Concurrent uses started before will complete
@@ -2662,6 +2662,42 @@ pointer @var{ap}.
 @c case of cancellation.  This doesn't make it unsafe, but cancelling it
 @c may leak memory.  The unguarded use of __printf_function_table is
 @c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
 @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
 @c bringing with it additional potential for async trouble with
 @c list_all_lock.
@@ -5076,7 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
-@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -5192,7 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.
diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield
diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=60f0d7aaa66504b3818d82ea8691b365f4f55dc5

commit 60f0d7aaa66504b3818d82ea8691b365f4f55dc5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -318,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -354,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -368,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -379,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -390,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -410,6 +420,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +434,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +457,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +726,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +752,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +768,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +805,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +817,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +973,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +984,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1029,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1040,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1079,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1089,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1110,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1123,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1136,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1188,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1210,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1224,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1262,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1288,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1310,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1323,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1337,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1351,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1386,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1401,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1416,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1431,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1452,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1466,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1481,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1495,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1509,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1523,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1538,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1565,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1588,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1612,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1634,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1650,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1669,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1693,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1709,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1745,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1754,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1763,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1772,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1781,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1794,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1828,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1849,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1866,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1884,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2014,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2027,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2040,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2055,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2074,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2120,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2193,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2203,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2222,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2232,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2249,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2259,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2276,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2286,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2296,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2313,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2330,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2340,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2351,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2361,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2371,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2380,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2445,35 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2559,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2579,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2592,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2619,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2645,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2664,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.  
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2681,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2690,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2699,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2720,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2732,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2744,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2756,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b0aaf99a53ebe756b3b61930b0d42fd5b51dd71d

commit b0aaf99a53ebe756b3b61930b0d42fd5b51dd71d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..833e0c9 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -410,6 +415,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +429,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +452,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +721,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +747,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +763,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +800,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +812,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +968,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +979,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1024,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1035,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1074,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1084,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1105,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1118,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1131,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1183,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1205,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1219,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1257,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1283,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1305,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1318,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1332,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1346,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1381,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1396,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1411,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1426,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1447,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1461,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1476,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1490,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1504,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1518,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1533,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1560,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1583,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1607,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1629,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1645,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1664,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1688,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1704,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1740,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1749,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1758,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1767,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1776,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1789,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1823,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1844,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1861,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1879,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2009,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2022,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2035,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2050,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2069,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2115,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2188,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2198,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2217,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2227,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2244,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2254,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2271,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2281,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2291,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2308,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2325,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2335,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2346,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2356,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2366,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2375,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2440,9 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2528,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2548,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2561,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2588,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2614,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2633,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.  
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2650,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2659,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2668,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2689,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2701,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2713,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2725,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=edeb8dbee9aa4cdef77764287545e16903acea6d

commit edeb8dbee9aa4cdef77764287545e16903acea6d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0f17febc6eced1c8227402f12867a400ba58bd74

commit 0f17febc6eced1c8227402f12867a400ba58bd74
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..323268d 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard}}
+@c This function is MT-Safe, but uses of the global locale object are
+@c unguarded in functions that ought to be MT-Safe, so we're ruling out
+@c the use of this function once threads are started.
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=49427f4017a13662522c4247e1eed08f867a3d73

commit 49427f4017a13662522c4247e1eed08f867a3d73
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..7809dd4 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,12 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2669,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2677,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2685,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2693,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2701,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2709,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2785,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3026,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3278,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3342,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3959,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +3974,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +3989,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +3997,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4005,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4019,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4046,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4055,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4064,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4072,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4080,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4088,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4138,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4148,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4162,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4173,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4201,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4212,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4326,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4339,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4363,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4379,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4399,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4423,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4472,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4594,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4609,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4622,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4639,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4751,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4764,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4781,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4803,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4828,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4906,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4920,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4932,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4947,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4961,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +4972,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5020,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5076,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5192,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5374,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5515,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=351fb371fa127df8fa5e27b38a330e4258b35180

commit 351fb371fa127df8fa5e27b38a330e4258b35180
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..e47832c 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,411 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item 
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item 
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item 
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards to ensure consistency.  To ensure MT- and
+AS-Safe behavior, callers must ensure that the objects passed in are not
+modified concurrently by other threads or signal handlers.
+
+
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.  
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.  
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+propertes we documentated are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f159288e81a5a769e1274527d307f82bd918d8e5

commit f159288e81a5a769e1274527d307f82bd918d8e5
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..2630a77 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,314 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item 
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item 
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item 
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards to ensure consistency.  To ensure MT- and
+AS-Safe behavior, callers must ensure that the objects passed in are not
+modified concurrently by other threads or signal handlers.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is interrupted by a signal while holding the lock,
+and the signal handler calls any function that takes the same
+non-recursive lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is interrupted by a signal while holding the lock,
+and the signal handler calls any function that takes the same
+non-recursive lock, the latter function may observe a partially updated,
+inconsistent data structure, and misbehave.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+propertes we documentated are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=04381689562081fc1e2328e5807e0dc537c1c5fc

commit 04381689562081fc1e2328e5807e0dc537c1c5fc
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6f9592e7a7e327deae62aae99a5238cfba2d572d

commit 6f9592e7a7e327deae62aae99a5238cfba2d572d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Aug 13 15:29:39 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
index fc061d0..e167033 100644
--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
@@ -21,6 +21,11 @@
 #include "soft-fp.h"
 #include "soft-supp.h"
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 /* Global to store sticky exceptions.  */
 int __sim_exceptions __attribute__ ((nocommon));
 libc_hidden_data_def (__sim_exceptions);
diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
index b9638bb..64a3d2a 100644
--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
@@ -26,6 +26,11 @@ typedef union
 } fenv_union_t;
 
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;
diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
index c2a190e..508d869 100644
--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
@@ -54,6 +54,11 @@
 #define FP_ROUNDMODE          __sim_round_mode
 #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b0ce064083475ab914baa5244960e369cf0a2e10

commit b0ce064083475ab914baa5244960e369cf0a2e10
Merge: f39e49a 3877ab6 1105dbb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:57:14 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f39e49a9c7a1d54c0be1718ff13feb587b8fdcca

commit f39e49a9c7a1d54c0be1718ff13feb587b8fdcca
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:57:14 2013 -0300

    push

diff --git a/meta b/meta
index ae7cb86..f58fa10 100644
--- a/meta
+++ b/meta
@@ -1,15 +1,15 @@
 Version: 1
-Previous: b6698ebaf34ee4eee6fdf262dda1f0e6326ec8f5
-Head: 134de3fab35b91543080d25a276ab00593d15be7
+Previous: 1105dbbfefb70928dddf6224c380ee647b74e574
+Head: 3877ab63574b2d23eac947fed521b7c3999c8d9f
 Applied:
   manual-document-mt-safety.patch: efc461350d9249c7b45dd1711d026868b38f051c
   powerpc-nofpu-sim-note-nothread.patch: 134de3fab35b91543080d25a276ab00593d15be7
+  unused-scalb-is-scalbn.patch: abc6d481de5aabe5a3a019a29cc747e55230600e
+  manual-document-mt-safety-arith.patch: e9e5cf9f32d9b8147c0c8097478f8d623709d917
+  manual-document-mt-safety-stdio.patch: d0a89c9db96cfa69b1e445b45d29ebb5d783b899
+  manual-document-mt-safety-locale.patch: b6d0a7e40695997390c967a9c1255fc1813c84b0
+  manual-document-mt-safety-math.patch: c9ff7cfa5b3b4eb6799616ecce3a99944b7642d3
+  manual-document-mt-safety-ctype-wip.patch: 59ba7a5b73180e9b6b3a8a780c794019f3b4fb8e
+  manual-document-mt-safety-wip.patch: 3877ab63574b2d23eac947fed521b7c3999c8d9f
 Unapplied:
-  unused-scalb-is-scalbn.patch: c7b61a96cbd8cb57ef7aedbddf47a3368451583d
-  manual-document-mt-safety-arith.patch: ff79da305c9dfa8cdc253ef91e3af827e98ecd2b
-  manual-document-mt-safety-stdio.patch: 29204588dcc2ae4b2c07025a50f8018c87cdc409
-  manual-document-mt-safety-locale.patch: 2138bb13b72835109d53a470595be6f31f485113
-  manual-document-mt-safety-math.patch: 00af0ed393c8103a619299dc34fcda36561f3cd7
-  manual-document-mt-safety-ctype-wip.patch: b86a9adf8ea6fc915d528f3fa61ded06f3c91c61
-  manual-document-mt-safety-wip.patch: 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
 Hidden:
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
index 6d56f45..471af98 100644
--- a/patches/manual-document-mt-safety-arith.patch
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -1,5 +1,5 @@
-Bottom: 58842960ffbf63afb50845d77d86b584785bfb5d
-Top:    4d06ccc13c580c9f8bc1ebbdc407011933a41e89
+Bottom: da0e6ebd226c97d69a880a83a3458d1290cb0a33
+Top:    2739c166ffd8b16196598bf6ae81a1eb59c5da67
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-06-26 10:46:39 -0300
 
diff --git a/patches/manual-document-mt-safety-ctype-wip.patch b/patches/manual-document-mt-safety-ctype-wip.patch
index 2751123..e2d64bc 100644
--- a/patches/manual-document-mt-safety-ctype-wip.patch
+++ b/patches/manual-document-mt-safety-ctype-wip.patch
@@ -1,5 +1,5 @@
-Bottom: 7c3df0362db41863af2f7f886b7e7f14cd2cb7c5
-Top:    cd865dbc67422bb0360d4e2692cc5f7ec6aea252
+Bottom: 78fe1791b80475e24bb082448c82b31a599bb2cd
+Top:    eda06e358bd7339a7b33c1798edc9038d99aafaf
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-06-26 10:46:43 -0300
 
diff --git a/patches/manual-document-mt-safety-locale.patch b/patches/manual-document-mt-safety-locale.patch
index def6108..c5c4fa4 100644
--- a/patches/manual-document-mt-safety-locale.patch
+++ b/patches/manual-document-mt-safety-locale.patch
@@ -1,5 +1,5 @@
-Bottom: e742d008a73a9279e0234fe6e8416e0b74b22645
-Top:    b6a7df74e1dd769dd2a68885320bde2bae038277
+Bottom: 7803afb16b44ea9e7a20effc6b009b4417ede858
+Top:    7ddaf06032faa5cbc050d572e2e304aee7a0a055
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-06-26 10:46:40 -0300
 
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
index 14df6f3..79e98aa 100644
--- a/patches/manual-document-mt-safety-math.patch
+++ b/patches/manual-document-mt-safety-math.patch
@@ -1,5 +1,5 @@
-Bottom: b6a7df74e1dd769dd2a68885320bde2bae038277
-Top:    7c3df0362db41863af2f7f886b7e7f14cd2cb7c5
+Bottom: 7ddaf06032faa5cbc050d572e2e304aee7a0a055
+Top:    78fe1791b80475e24bb082448c82b31a599bb2cd
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-06-26 10:46:41 -0300
 
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
index 2088f94..d0907aa 100644
--- a/patches/manual-document-mt-safety-stdio.patch
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -1,5 +1,5 @@
-Bottom: 4d06ccc13c580c9f8bc1ebbdc407011933a41e89
-Top:    e742d008a73a9279e0234fe6e8416e0b74b22645
+Bottom: 2739c166ffd8b16196598bf6ae81a1eb59c5da67
+Top:    7803afb16b44ea9e7a20effc6b009b4417ede858
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-06-26 10:46:40 -0300
 
diff --git a/patches/manual-document-mt-safety-wip.patch b/patches/manual-document-mt-safety-wip.patch
index 31af2c2..c9edc3e 100644
--- a/patches/manual-document-mt-safety-wip.patch
+++ b/patches/manual-document-mt-safety-wip.patch
@@ -1,5 +1,5 @@
-Bottom: cd865dbc67422bb0360d4e2692cc5f7ec6aea252
-Top:    7e6a83a1413d637cd4076c377f2dc632dc928b39
+Bottom: eda06e358bd7339a7b33c1798edc9038d99aafaf
+Top:    b3048f1f29a3cb611e8590355a732220e79312c6
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-06-26 10:46:48 -0300
 
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
index 2e01b9a..4f1dac0 100644
--- a/patches/unused-scalb-is-scalbn.patch
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -1,5 +1,5 @@
-Bottom: 83a97471a9f798dbf70f921529bea532c0632478
-Top:    58842960ffbf63afb50845d77d86b584785bfb5d
+Bottom: 4e74d806c3244a3036ccfd773571125e92181033
+Top:    da0e6ebd226c97d69a880a83a3458d1290cb0a33
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-06-26 10:46:37 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3877ab63574b2d23eac947fed521b7c3999c8d9f

commit 3877ab63574b2d23eac947fed521b7c3999c8d9f
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:48 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/???.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.
diff --git a/manual/arith.texi b/manual/arith.texi
index 833e0c9..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -323,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -359,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -373,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -384,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -395,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -2443,6 +2448,32 @@ as well.
 @safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
 @c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and
diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the
diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of
diff --git a/manual/ctype.texi b/manual/ctype.texi
index f05d509..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,7 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -714,7 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -732,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -751,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 
diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor
diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..2244025 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).  
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat
diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the
diff --git a/manual/intro.texi b/manual/intro.texi
index 2630a77..e47832c 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -262,6 +262,28 @@ if the effective thread-local locale is not the global locale object
 @code{setlocale} should not be called while these functions are active.
 
 
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
 @item @code{uunguard}
 @cindex uunguard
 
@@ -291,6 +313,42 @@ AS-Safe behavior, callers must ensure that the objects passed in are not
 modified concurrently by other threads or signal handlers.
 
 
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
 @end itemize
 
 
@@ -305,11 +363,37 @@ as follows:
 
 Functions annotated with @code{staticbuf} use internal static buffers or
 variables in ways that may cause concurrent calls to interfere
-destructively.
+destructively.  
 
 These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
 offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
 
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.  
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
 
 @item @code{fdleak}
 @cindex fdleak
@@ -390,9 +474,8 @@ For the reasons above, functions that leak locks are all AC-Unsafe.
 Functions marked with @code{selfdeadlock} take a non-recursive lock to
 ensure MT-Safety while modifying data structures guarded by the lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the result is a deadlock.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid a deadlock if any signal handler might need
@@ -406,10 +489,9 @@ Functions marked with @code{asynconsist} take a recursive lock to ensure
 MT-Safety while accessing or modifying data structures guarded by the
 lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the latter function may observe a partially updated,
-inconsistent data structure, and misbehave.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid the misbehavior that may ensue if any signal
@@ -444,6 +526,21 @@ Disabling asynchronous cancelation while calling such functions is the
 only safe way to avoid the misbehavior that may ensure if the thread is
 canceled while the function is running.
 
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
 
 @item @code{simfpu}
 @cindex simfpu
diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the
diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,
diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym
diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3
diff --git a/manual/locale.texi b/manual/locale.texi
index 323268d..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
-@safety{@mtunsafe{uunguard}}
-@c This function is MT-Safe, but uses of the global locale object are
-@c unguarded in functions that ought to be MT-Safe, so we're ruling out
-@c the use of this function once threads are started.
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.
diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with
diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 
diff --git a/manual/stdio.texi b/manual/stdio.texi
index 7809dd4..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 @c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
@@ -267,7 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
 @c After fclose, it is undefined behavior to use the stream it points
 @c to.  Therefore, one must only call fclose when the stream is
 @c otherwise unused.  Concurrent uses started before will complete
@@ -2662,6 +2662,42 @@ pointer @var{ap}.
 @c case of cancellation.  This doesn't make it unsafe, but cancelling it
 @c may leak memory.  The unguarded use of __printf_function_table is
 @c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
 @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
 @c bringing with it additional potential for async trouble with
 @c list_all_lock.
@@ -5076,7 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
-@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -5192,7 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.
diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield
diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=59ba7a5b73180e9b6b3a8a780c794019f3b4fb8e

commit 59ba7a5b73180e9b6b3a8a780c794019f3b4fb8e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:43 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..f05d509 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -691,6 +691,7 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +714,7 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c9ff7cfa5b3b4eb6799616ecce3a99944b7642d3

commit c9ff7cfa5b3b4eb6799616ecce3a99944b7642d3
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b6d0a7e40695997390c967a9c1255fc1813c84b0

commit b6d0a7e40695997390c967a9c1255fc1813c84b0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..323268d 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard}}
+@c This function is MT-Safe, but uses of the global locale object are
+@c unguarded in functions that ought to be MT-Safe, so we're ruling out
+@c the use of this function once threads are started.
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d0a89c9db96cfa69b1e445b45d29ebb5d783b899

commit d0a89c9db96cfa69b1e445b45d29ebb5d783b899
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..7809dd4 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,12 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2669,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2677,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2685,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2693,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2701,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2709,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2785,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3026,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3278,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3342,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3959,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +3974,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +3989,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +3997,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4005,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4019,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4046,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4055,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4064,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4072,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4080,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4088,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4138,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4148,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4162,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4173,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4201,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4212,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4326,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4339,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4363,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4379,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4399,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4423,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4472,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4594,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4609,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4622,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4639,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4751,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4764,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4781,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4803,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4828,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4906,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4920,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4932,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4947,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4961,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +4972,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5020,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5076,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5192,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5374,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5515,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e9e5cf9f32d9b8147c0c8097478f8d623709d917

commit e9e5cf9f32d9b8147c0c8097478f8d623709d917
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..833e0c9 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -410,6 +415,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +429,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +452,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +721,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +747,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +763,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +800,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +812,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +968,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +979,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1024,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1035,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1074,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1084,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1105,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1118,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1131,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1183,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1205,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1219,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1257,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1283,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1305,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1318,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1332,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1346,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1381,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1396,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1411,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1426,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1447,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1461,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1476,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1490,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1504,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1518,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1533,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1560,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1583,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1607,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1629,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1645,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1664,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1688,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1704,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1740,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1749,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1758,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1767,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1776,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1789,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1823,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1844,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1861,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1879,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2009,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2022,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2035,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2050,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2069,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2115,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2188,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2198,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2217,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2227,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2244,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2254,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2271,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2281,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2291,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2308,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2325,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2335,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2346,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2356,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2366,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2375,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2440,9 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2528,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2548,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2561,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2588,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2614,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2633,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.  
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2650,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2659,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2668,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2689,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2701,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2713,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2725,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=abc6d481de5aabe5a3a019a29cc747e55230600e

commit abc6d481de5aabe5a3a019a29cc747e55230600e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:37 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1105dbbfefb70928dddf6224c380ee647b74e574

commit 1105dbbfefb70928dddf6224c380ee647b74e574
Merge: 07168b5 134de3f b6698eb
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:57:08 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=07168b5e6186608722e903b5d411b0a2a21b1cec

commit 07168b5e6186608722e903b5d411b0a2a21b1cec
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:57:08 2013 -0300

    push

diff --git a/meta b/meta
index 958622e..ae7cb86 100644
--- a/meta
+++ b/meta
@@ -1,10 +1,10 @@
 Version: 1
-Previous: afe9eb86872a7e5e07a87c8e33221ce8196d1185
-Head: efc461350d9249c7b45dd1711d026868b38f051c
+Previous: b6698ebaf34ee4eee6fdf262dda1f0e6326ec8f5
+Head: 134de3fab35b91543080d25a276ab00593d15be7
 Applied:
   manual-document-mt-safety.patch: efc461350d9249c7b45dd1711d026868b38f051c
+  powerpc-nofpu-sim-note-nothread.patch: 134de3fab35b91543080d25a276ab00593d15be7
 Unapplied:
-  powerpc-nofpu-sim-note-nothread.patch: c2080123a1257f86601d8639f289ea4e3e6e27d7
   unused-scalb-is-scalbn.patch: c7b61a96cbd8cb57ef7aedbddf47a3368451583d
   manual-document-mt-safety-arith.patch: ff79da305c9dfa8cdc253ef91e3af827e98ecd2b
   manual-document-mt-safety-stdio.patch: 29204588dcc2ae4b2c07025a50f8018c87cdc409
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
index fb9723a..c35921d 100644
--- a/patches/powerpc-nofpu-sim-note-nothread.patch
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -1,5 +1,5 @@
-Bottom: 4efc67610afbdb4ae5fe31b2b904569f7a82116e
-Top:    83a97471a9f798dbf70f921529bea532c0632478
+Bottom: 539050bc4b84d23577ed07dc19f9da5286a45dac
+Top:    4e74d806c3244a3036ccfd773571125e92181033
 Author: Alexandre Oliva <aoliva@redhat.com>
 Date:   2013-06-26 10:46:36 -0300
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=134de3fab35b91543080d25a276ab00593d15be7

commit 134de3fab35b91543080d25a276ab00593d15be7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:36 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
index fc061d0..e167033 100644
--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
@@ -21,6 +21,11 @@
 #include "soft-fp.h"
 #include "soft-supp.h"
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 /* Global to store sticky exceptions.  */
 int __sim_exceptions __attribute__ ((nocommon));
 libc_hidden_data_def (__sim_exceptions);
diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
index b9638bb..64a3d2a 100644
--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
@@ -26,6 +26,11 @@ typedef union
 } fenv_union_t;
 
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;
diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
index c2a190e..508d869 100644
--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
@@ -54,6 +54,11 @@
 #define FP_ROUNDMODE          __sim_round_mode
 #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b6698ebaf34ee4eee6fdf262dda1f0e6326ec8f5

commit b6698ebaf34ee4eee6fdf262dda1f0e6326ec8f5
Merge: 967f99a afe9eb8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:56:53 2013 -0300

    refresh


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=967f99ae29dc6f98fada7ff3785f043818b1c529

commit 967f99ae29dc6f98fada7ff3785f043818b1c529
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:56:53 2013 -0300

    refresh

diff --git a/meta b/meta
index 5938411..958622e 100644
--- a/meta
+++ b/meta
@@ -1,9 +1,8 @@
 Version: 1
-Previous: c2ae60832456ff1f7dde39f32ff789261f07cc0c
-Head: 5302cf4e2b425ad6a577644de0e2778aebbeda47
+Previous: afe9eb86872a7e5e07a87c8e33221ce8196d1185
+Head: efc461350d9249c7b45dd1711d026868b38f051c
 Applied:
   manual-document-mt-safety.patch: efc461350d9249c7b45dd1711d026868b38f051c
-  refresh-temp: 5302cf4e2b425ad6a577644de0e2778aebbeda47
 Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: c2080123a1257f86601d8639f289ea4e3e6e27d7
   unused-scalb-is-scalbn.patch: c7b61a96cbd8cb57ef7aedbddf47a3368451583d
diff --git a/patches/refresh-temp b/patches/refresh-temp
deleted file mode 100644
index d57ecf9..0000000
--- a/patches/refresh-temp
+++ /dev/null
@@ -1,10 +0,0 @@
-Bottom: 539050bc4b84d23577ed07dc19f9da5286a45dac
-Top:    539050bc4b84d23577ed07dc19f9da5286a45dac
-Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-07-30 04:56:50 -0300
-
-Refresh of manual-document-mt-safety.patch
-
----
-
-

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=afe9eb86872a7e5e07a87c8e33221ce8196d1185

commit afe9eb86872a7e5e07a87c8e33221ce8196d1185
Merge: ba8cbfe 5302cf4 c2ae608
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:56:52 2013 -0300

    refresh (create temporary patch)


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ba8cbfe1b08c4a5f248b91b79ed7741969b300c7

commit ba8cbfe1b08c4a5f248b91b79ed7741969b300c7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:56:51 2013 -0300

    refresh (create temporary patch)

diff --git a/meta b/meta
index 4861167..5938411 100644
--- a/meta
+++ b/meta
@@ -1,8 +1,9 @@
 Version: 1
-Previous: 972123921bf2c298d20034ac9f070b30ad7db958
-Head: efc461350d9249c7b45dd1711d026868b38f051c
+Previous: c2ae60832456ff1f7dde39f32ff789261f07cc0c
+Head: 5302cf4e2b425ad6a577644de0e2778aebbeda47
 Applied:
   manual-document-mt-safety.patch: efc461350d9249c7b45dd1711d026868b38f051c
+  refresh-temp: 5302cf4e2b425ad6a577644de0e2778aebbeda47
 Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: c2080123a1257f86601d8639f289ea4e3e6e27d7
   unused-scalb-is-scalbn.patch: c7b61a96cbd8cb57ef7aedbddf47a3368451583d
diff --git a/patches/refresh-temp b/patches/refresh-temp
new file mode 100644
index 0000000..d57ecf9
--- /dev/null
+++ b/patches/refresh-temp
@@ -0,0 +1,10 @@
+Bottom: 539050bc4b84d23577ed07dc19f9da5286a45dac
+Top:    539050bc4b84d23577ed07dc19f9da5286a45dac
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-07-30 04:56:50 -0300
+
+Refresh of manual-document-mt-safety.patch
+
+---
+
+

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5302cf4e2b425ad6a577644de0e2778aebbeda47

commit 5302cf4e2b425ad6a577644de0e2778aebbeda47
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:56:50 2013 -0300

    Refresh of manual-document-mt-safety.patch

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=efc461350d9249c7b45dd1711d026868b38f051c

commit efc461350d9249c7b45dd1711d026868b38f051c
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:54:56 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..2630a77 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,314 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item 
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item 
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item 
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards to ensure consistency.  To ensure MT- and
+AS-Safe behavior, callers must ensure that the objects passed in are not
+modified concurrently by other threads or signal handlers.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is interrupted by a signal while holding the lock,
+and the signal handler calls any function that takes the same
+non-recursive lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is interrupted by a signal while holding the lock,
+and the signal handler calls any function that takes the same
+non-recursive lock, the latter function may observe a partially updated,
+inconsistent data structure, and misbehave.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+propertes we documentated are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c2ae60832456ff1f7dde39f32ff789261f07cc0c

commit c2ae60832456ff1f7dde39f32ff789261f07cc0c
Merge: fe515c9 9721239 efc4613
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:54:56 2013 -0300

    pull


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fe515c972a5db7233f15cf86bc70f83d5382cfd0

commit fe515c972a5db7233f15cf86bc70f83d5382cfd0
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:54:56 2013 -0300

    pull

diff --git a/meta b/meta
index 07529f5..4861167 100644
--- a/meta
+++ b/meta
@@ -1,8 +1,9 @@
 Version: 1
-Previous: 0cd347e77152d781992666f79ede349337ff1e2a
-Head: 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
+Previous: 972123921bf2c298d20034ac9f070b30ad7db958
+Head: efc461350d9249c7b45dd1711d026868b38f051c
 Applied:
-  manual-document-mt-safety.patch: 706d7b14f054f498250c63c1e221a935b0e5ced2
+  manual-document-mt-safety.patch: efc461350d9249c7b45dd1711d026868b38f051c
+Unapplied:
   powerpc-nofpu-sim-note-nothread.patch: c2080123a1257f86601d8639f289ea4e3e6e27d7
   unused-scalb-is-scalbn.patch: c7b61a96cbd8cb57ef7aedbddf47a3368451583d
   manual-document-mt-safety-arith.patch: ff79da305c9dfa8cdc253ef91e3af827e98ecd2b
@@ -11,5 +12,4 @@ Applied:
   manual-document-mt-safety-math.patch: 00af0ed393c8103a619299dc34fcda36561f3cd7
   manual-document-mt-safety-ctype-wip.patch: b86a9adf8ea6fc915d528f3fa61ded06f3c91c61
   manual-document-mt-safety-wip.patch: 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
-Unapplied:
 Hidden:
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
index 09977f1..66d3159 100644
--- a/patches/manual-document-mt-safety.patch
+++ b/patches/manual-document-mt-safety.patch
@@ -1,7 +1,7 @@
-Bottom: 13f15f706fb1ff430a99cba2788b2c38389fb60e
-Top:    4efc67610afbdb4ae5fe31b2b904569f7a82116e
+Bottom: efed39b7ade4b9cbc21039a1156412424917f48d
+Top:    539050bc4b84d23577ed07dc19f9da5286a45dac
 Author: Alexandre Oliva <aoliva@redhat.com>
-Date:   2013-06-26 10:46:35 -0300
+Date:   2013-07-30 04:54:56 -0300
 
 Thread safety documentation.
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=972123921bf2c298d20034ac9f070b30ad7db958

commit 972123921bf2c298d20034ac9f070b30ad7db958
Merge: ea4fba3 0cd347e
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:53:56 2013 -0300

    push


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ea4fba346a4d8499e2a0c063caf1a51cf4f9b6ef

commit ea4fba346a4d8499e2a0c063caf1a51cf4f9b6ef
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:53:56 2013 -0300

    push

diff --git a/meta b/meta
index 342e7f8..07529f5 100644
--- a/meta
+++ b/meta
@@ -1,8 +1,7 @@
 Version: 1
-Previous: f618714f0d41bb4db78aaa249202934f8c95d2dd
-Head: 89756a8cdb72c3741aa01e97d4ec8c4b30da585b
+Previous: 0cd347e77152d781992666f79ede349337ff1e2a
+Head: 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
 Applied:
-Unapplied:
   manual-document-mt-safety.patch: 706d7b14f054f498250c63c1e221a935b0e5ced2
   powerpc-nofpu-sim-note-nothread.patch: c2080123a1257f86601d8639f289ea4e3e6e27d7
   unused-scalb-is-scalbn.patch: c7b61a96cbd8cb57ef7aedbddf47a3368451583d
@@ -12,4 +11,5 @@ Unapplied:
   manual-document-mt-safety-math.patch: 00af0ed393c8103a619299dc34fcda36561f3cd7
   manual-document-mt-safety-ctype-wip.patch: b86a9adf8ea6fc915d528f3fa61ded06f3c91c61
   manual-document-mt-safety-wip.patch: 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
+Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0cd347e77152d781992666f79ede349337ff1e2a

commit 0cd347e77152d781992666f79ede349337ff1e2a
Merge: e82e52b f618714 89756a8
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:53:45 2013 -0300

    pop


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e82e52b64d56c2a395b94ac311b5418947b7b344

commit e82e52b64d56c2a395b94ac311b5418947b7b344
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:53:45 2013 -0300

    pop

diff --git a/meta b/meta
index 098d519..342e7f8 100644
--- a/meta
+++ b/meta
@@ -1,7 +1,8 @@
 Version: 1
-Previous: None
-Head: 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
+Previous: f618714f0d41bb4db78aaa249202934f8c95d2dd
+Head: 89756a8cdb72c3741aa01e97d4ec8c4b30da585b
 Applied:
+Unapplied:
   manual-document-mt-safety.patch: 706d7b14f054f498250c63c1e221a935b0e5ced2
   powerpc-nofpu-sim-note-nothread.patch: c2080123a1257f86601d8639f289ea4e3e6e27d7
   unused-scalb-is-scalbn.patch: c7b61a96cbd8cb57ef7aedbddf47a3368451583d
@@ -11,5 +12,4 @@ Applied:
   manual-document-mt-safety-math.patch: 00af0ed393c8103a619299dc34fcda36561f3cd7
   manual-document-mt-safety-ctype-wip.patch: b86a9adf8ea6fc915d528f3fa61ded06f3c91c61
   manual-document-mt-safety-wip.patch: 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
-Unapplied:
 Hidden:

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f618714f0d41bb4db78aaa249202934f8c95d2dd

commit f618714f0d41bb4db78aaa249202934f8c95d2dd
Merge: d62a41b 08d66cf
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:53:38 2013 -0300

    start of log


http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d62a41bd6cad10dd3fd1d552044e1c0fc15c3b30

commit d62a41bd6cad10dd3fd1d552044e1c0fc15c3b30
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Jul 30 04:53:38 2013 -0300

    start of log

diff --git a/meta b/meta
new file mode 100644
index 0000000..098d519
--- /dev/null
+++ b/meta
@@ -0,0 +1,15 @@
+Version: 1
+Previous: None
+Head: 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
+Applied:
+  manual-document-mt-safety.patch: 706d7b14f054f498250c63c1e221a935b0e5ced2
+  powerpc-nofpu-sim-note-nothread.patch: c2080123a1257f86601d8639f289ea4e3e6e27d7
+  unused-scalb-is-scalbn.patch: c7b61a96cbd8cb57ef7aedbddf47a3368451583d
+  manual-document-mt-safety-arith.patch: ff79da305c9dfa8cdc253ef91e3af827e98ecd2b
+  manual-document-mt-safety-stdio.patch: 29204588dcc2ae4b2c07025a50f8018c87cdc409
+  manual-document-mt-safety-locale.patch: 2138bb13b72835109d53a470595be6f31f485113
+  manual-document-mt-safety-math.patch: 00af0ed393c8103a619299dc34fcda36561f3cd7
+  manual-document-mt-safety-ctype-wip.patch: b86a9adf8ea6fc915d528f3fa61ded06f3c91c61
+  manual-document-mt-safety-wip.patch: 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
+Unapplied:
+Hidden:
diff --git a/patches/manual-document-mt-safety-arith.patch b/patches/manual-document-mt-safety-arith.patch
new file mode 100644
index 0000000..6d56f45
--- /dev/null
+++ b/patches/manual-document-mt-safety-arith.patch
@@ -0,0 +1,822 @@
+Bottom: 58842960ffbf63afb50845d77d86b584785bfb5d
+Top:    4d06ccc13c580c9f8bc1ebbdc407011933a41e89
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-06-26 10:46:39 -0300
+
+Thread safety documentation.
+
+for  ChangeLog
+
+	* manual/arith.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/arith.texi b/manual/arith.texi
+index 77056c3..833e0c9 100644
+--- a/manual/arith.texi
++++ b/manual/arith.texi
+@@ -160,6 +160,8 @@ The remainder from the division.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun div_t div (int @var{numerator}, int @var{denominator})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Functions in this section are pure, and thus safe.
+ This function @code{div} computes the quotient and remainder from
+ the division of @var{numerator} by @var{denominator}, returning the
+ result in a structure of type @code{div_t}.
+@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{ldiv} function is similar to @code{div}, except that the
+ arguments are of type @code{long int} and the result is returned as a
+ structure of type @code{ldiv_t}.
+@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{lldiv} function is like the @code{div} function, but the
+ arguments are of type @code{long long int} and the result is returned as
+ a structure of type @code{lldiv_t}.
+@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
+ @comment inttypes.h
+ @comment ISO
+ @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{imaxdiv} function is like the @code{div} function, but the
+ arguments are of type @code{intmax_t} and the result is returned as
+ a structure of type @code{imaxdiv_t}.
+@@ -410,6 +415,7 @@ not have to worry about the type of their argument.
+ @comment math.h
+ @comment BSD
+ @deftypefunx int isinfl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function returns @code{-1} if @var{x} represents negative infinity,
+ @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
+ @end deftypefun
+@@ -423,6 +429,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
+ @comment math.h
+ @comment BSD
+ @deftypefunx int isnanl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function returns a nonzero value if @var{x} is a ``not a number''
+ value, and zero otherwise.
+ 
+@@ -445,6 +452,7 @@ function for some reason, you can write
+ @comment math.h
+ @comment BSD
+ @deftypefunx int finitel (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function returns a nonzero value if @var{x} is finite or a ``not a
+ number'' value, and zero otherwise.
+ @end deftypefun
+@@ -713,6 +721,22 @@ and save and restore the set of exceptions flagged.
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int feclearexcept (int @var{excepts})
++@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
++@c The other functions in this section that modify FP status register
++@c mostly do so with non-atomic load-modify-store sequences, but since
++@c the register is thread-specific, this should be fine, and safe for
++@c cancellation.  As long as the FP environment is restored before the
++@c signal handler returns control to the interrupted thread (like any
++@c kernel should do), the functions are also safe for use in signal
++@c handlers.
++@c
++@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
++@c __sim_exception, __sim_disabled_exception and __sim_round_mode
++@c variables, that emulate a floating-point status register, are not
++@c thread-specific variables, so many of these functions are not MT-safe
++@c on that platform.  This is probably a bug.  These variables aren't
++@c restored by the signal machinery either, making the functions also
++@c async-signal-unsafe on this platform.
+ This function clears all of the supported exception flags indicated by
+ @var{excepts}.
+ 
+@@ -723,6 +747,7 @@ non-zero value otherwise.
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int feraiseexcept (int @var{excepts})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ This function raises the supported exceptions indicated by
+ @var{excepts}.  If more than one exception bit in @var{excepts} is set
+ the order in which the exceptions are raised is undefined except that
+@@ -738,6 +763,7 @@ non-zero value otherwise.
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int fetestexcept (int @var{excepts})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ Test whether the exception flags indicated by the parameter @var{except}
+ are currently set.  If any of them are, a nonzero value is returned
+ which specifies which exceptions are set.  Otherwise the result is zero.
+@@ -774,6 +800,7 @@ following functions:
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ This function stores in the variable pointed to by @var{flagp} an
+ implementation-defined value representing the current setting of the
+ exception flags indicated by @var{excepts}.
+@@ -785,6 +812,7 @@ non-zero value otherwise.
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ This function restores the flags for the exceptions indicated by
+ @var{excepts} to the values stored in the variable pointed to by
+ @var{flagp}.
+@@ -940,6 +968,7 @@ find out which one with this function:
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int fegetround (void)
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ Returns the currently selected rounding mode, represented by one of the
+ values of the defined rounding mode macros.
+ @end deftypefun
+@@ -950,6 +979,7 @@ To change the rounding mode, use this function:
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int fesetround (int @var{round})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ Changes the currently selected rounding mode to @var{round}.  If
+ @var{round} does not correspond to one of the supported rounding modes
+ nothing is changed.  @code{fesetround} returns zero if it changed the
+@@ -994,6 +1024,7 @@ To save the state of the FPU, use one of these functions:
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int fegetenv (fenv_t *@var{envp})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ Store the floating-point environment in the variable pointed to by
+ @var{envp}.
+ 
+@@ -1004,6 +1035,7 @@ non-zero value otherwise.
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int feholdexcept (fenv_t *@var{envp})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ Store the current floating-point environment in the object pointed to by
+ @var{envp}.  Then clear all exception flags, and set the FPU to trap no
+ exceptions.  Not all FPUs support trapping no exceptions; if
+@@ -1042,6 +1074,7 @@ functions:
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int fesetenv (const fenv_t *@var{envp})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ Set the floating-point environment to that described by @var{envp}.
+ 
+ The function returns zero in case the operation was successful, a
+@@ -1051,6 +1084,7 @@ non-zero value otherwise.
+ @comment fenv.h
+ @comment ISO
+ @deftypefun int feupdateenv (const fenv_t *@var{envp})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ Like @code{fesetenv}, this function sets the floating-point environment
+ to that described by @var{envp}.  However, if any exceptions were
+ flagged in the status word before @code{feupdateenv} was called, they
+@@ -1071,6 +1105,7 @@ occur, you can use the following two functions.
+ @comment fenv.h
+ @comment GNU
+ @deftypefun int feenableexcept (int @var{excepts})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ This functions enables traps for each of the exceptions as indicated by
+ the parameter @var{except}.  The individual exceptions are described in
+ @ref{Status bit operations}.  Only the specified exceptions are
+@@ -1083,6 +1118,7 @@ operation was successful, @code{-1} otherwise.
+ @comment fenv.h
+ @comment GNU
+ @deftypefun int fedisableexcept (int @var{excepts})
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ This functions disables traps for each of the exceptions as indicated by
+ the parameter @var{except}.  The individual exceptions are described in
+ @ref{Status bit operations}.  Only the specified exceptions are
+@@ -1095,6 +1131,7 @@ operation was successful, @code{-1} otherwise.
+ @comment fenv.h
+ @comment GNU
+ @deftypefun int fegetexcept (void)
++@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
+ The function returns a bitmask of all currently enabled exceptions.  It
+ returns @code{-1} in case of failure.
+ @end deftypefun
+@@ -1146,6 +1183,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
+ @comment inttypes.h
+ @comment ISO
+ @deftypefunx intmax_t imaxabs (intmax_t @var{number})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return the absolute value of @var{number}.
+ 
+ Most computers use a two's complement integer representation, in which
+@@ -1167,6 +1205,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} fabsl (long double @var{number})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function returns the absolute value of the floating-point number
+ @var{number}.
+ @end deftypefun
+@@ -1180,6 +1219,7 @@ This function returns the absolute value of the floating-point number
+ @comment complex.h
+ @comment ISO
+ @deftypefunx {long double} cabsl (complex long double @var{z})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return the absolute  value of the complex number @var{z}
+ (@pxref{Complex Numbers}).  The absolute value of a complex number is:
+ 
+@@ -1217,6 +1257,7 @@ All these functions are declared in @file{math.h}.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions are used to split the number @var{value}
+ into a normalized fraction and an exponent.
+ 
+@@ -1242,6 +1283,7 @@ zero is stored in @code{*@var{exponent}}.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return the result of multiplying the floating-point
+ number @var{value} by 2 raised to the power @var{exponent}.  (It can
+ be used to reassemble floating-point numbers that were taken apart
+@@ -1263,6 +1305,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
+ @comment math.h
+ @comment BSD
+ @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{scalb} function is the BSD name for @code{ldexp}.
+ @end deftypefun
+ 
+@@ -1275,6 +1318,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
+ @comment math.h
+ @comment BSD
+ @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @code{scalbn} is identical to @code{scalb}, except that the exponent
+ @var{n} is an @code{int} instead of a floating-point number.
+ @end deftypefun
+@@ -1288,6 +1332,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
+ @comment math.h
+ @comment BSD
+ @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @code{scalbln} is identical to @code{scalb}, except that the exponent
+ @var{n} is a @code{long int} instead of a floating-point number.
+ @end deftypefun
+@@ -1301,6 +1346,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
+ @comment math.h
+ @comment BSD
+ @deftypefunx {long double} significandl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @code{significand} returns the mantissa of @var{x} scaled to the range
+ @math{[1, 2)}.
+ It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
+@@ -1335,6 +1381,7 @@ result as a @code{double} instead to get around this problem.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} ceill (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions round @var{x} upwards to the nearest integer,
+ returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
+ is @code{2.0}.
+@@ -1349,6 +1396,7 @@ is @code{2.0}.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} floorl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions round @var{x} downwards to the nearest
+ integer, returning that value as a @code{double}.  Thus, @code{floor
+ (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
+@@ -1363,6 +1411,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} truncl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{trunc} functions round @var{x} towards zero to the nearest
+ integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
+ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
+@@ -1377,6 +1426,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} rintl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions round @var{x} to an integer value according to the
+ current rounding mode.  @xref{Floating Point Parameters}, for
+ information about the various rounding modes.  The default
+@@ -1397,6 +1447,7 @@ inexact exception.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} nearbyintl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return the same value as the @code{rint} functions, but
+ do not raise the inexact exception if @var{x} is not an integer.
+ @end deftypefun
+@@ -1410,6 +1461,7 @@ do not raise the inexact exception if @var{x} is not an integer.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} roundl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions are similar to @code{rint}, but they round halfway
+ cases away from zero instead of to the nearest integer (or other
+ current rounding mode).
+@@ -1424,6 +1476,7 @@ current rounding mode).
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long int} lrintl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions are just like @code{rint}, but they return a
+ @code{long int} instead of a floating-point number.
+ @end deftypefun
+@@ -1437,6 +1490,7 @@ These functions are just like @code{rint}, but they return a
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long long int} llrintl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions are just like @code{rint}, but they return a
+ @code{long long int} instead of a floating-point number.
+ @end deftypefun
+@@ -1450,6 +1504,7 @@ These functions are just like @code{rint}, but they return a
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long int} lroundl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions are just like @code{round}, but they return a
+ @code{long int} instead of a floating-point number.
+ @end deftypefun
+@@ -1463,6 +1518,7 @@ These functions are just like @code{round}, but they return a
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long long int} llroundl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions are just like @code{round}, but they return a
+ @code{long long int} instead of a floating-point number.
+ @end deftypefun
+@@ -1477,6 +1533,7 @@ These functions are just like @code{round}, but they return a
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions break the argument @var{value} into an integer part and a
+ fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
+ equals @var{value}.  Each of the parts has the same sign as @var{value},
+@@ -1503,6 +1560,7 @@ suits your problem.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions compute the remainder from the division of
+ @var{numerator} by @var{denominator}.  Specifically, the return value is
+ @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
+@@ -1525,6 +1583,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
+ @comment math.h
+ @comment BSD
+ @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions are like @code{fmod} except that they round the
+ internal quotient @var{n} to the nearest integer instead of towards zero
+ to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
+@@ -1548,6 +1607,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
+ @comment math.h
+ @comment BSD
+ @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is another name for @code{drem}.
+ @end deftypefun
+ 
+@@ -1569,6 +1629,7 @@ bits.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return @var{x} but with the sign of @var{y}.  They work
+ even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
+ sign (although not all implementations support it) and this is one of
+@@ -1584,6 +1645,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
+ @comment math.h
+ @comment ISO
+ @deftypefun int signbit (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @code{signbit} is a generic macro which can work on all floating-point
+ types.  It returns a nonzero value if the value of @var{x} has its sign
+ bit set.
+@@ -1602,6 +1664,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{nextafter} function returns the next representable neighbor of
+ @var{x} in the direction towards @var{y}.  The size of the step between
+ @var{x} and the result depends on the type of the result.  If
+@@ -1625,6 +1688,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions are identical to the corresponding versions of
+ @code{nextafter} except that their second argument is a @code{long
+ double}.
+@@ -1640,6 +1704,8 @@ double}.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} nanl (const char *@var{tagp})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
++@c The unsafe-but-ruled-safe locale use comes from strtod.
+ The @code{nan} function returns a representation of NaN, provided that
+ NaN is supported by the target platform.
+ @code{nan ("@var{n-char-sequence}")} is equivalent to
+@@ -1674,6 +1740,7 @@ arguments only once.
+ @comment math.h
+ @comment ISO
+ @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro determines whether the argument @var{x} is greater than
+ @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
+ exception is raised if @var{x} or @var{y} are NaN.
+@@ -1682,6 +1749,7 @@ exception is raised if @var{x} or @var{y} are NaN.
+ @comment math.h
+ @comment ISO
+ @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro determines whether the argument @var{x} is greater than or
+ equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
+ exception is raised if @var{x} or @var{y} are NaN.
+@@ -1690,6 +1758,7 @@ exception is raised if @var{x} or @var{y} are NaN.
+ @comment math.h
+ @comment ISO
+ @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro determines whether the argument @var{x} is less than @var{y}.
+ It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
+ raised if @var{x} or @var{y} are NaN.
+@@ -1698,6 +1767,7 @@ raised if @var{x} or @var{y} are NaN.
+ @comment math.h
+ @comment ISO
+ @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro determines whether the argument @var{x} is less than or equal
+ to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
+ exception is raised if @var{x} or @var{y} are NaN.
+@@ -1706,6 +1776,7 @@ exception is raised if @var{x} or @var{y} are NaN.
+ @comment math.h
+ @comment ISO
+ @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro determines whether the argument @var{x} is less or greater
+ than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
+ (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
+@@ -1718,6 +1789,7 @@ expression is true if @var{x} or @var{y} are NaN.
+ @comment math.h
+ @comment ISO
+ @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro determines whether its arguments are unordered.  In other
+ words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
+ @end deftypefn
+@@ -1751,6 +1823,7 @@ perform these operations faster than the equivalent C code.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fmin} function returns the lesser of the two values @var{x}
+ and @var{y}.  It is similar to the expression
+ @smallexample
+@@ -1771,6 +1844,7 @@ are NaN, NaN is returned.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fmax} function returns the greater of the two values @var{x}
+ and @var{y}.
+ 
+@@ -1787,6 +1861,7 @@ are NaN, NaN is returned.
+ @comment math.h
+ @comment ISO
+ @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fdim} function returns the positive difference between
+ @var{x} and @var{y}.  The positive difference is @math{@var{x} -
+ @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
+@@ -1804,6 +1879,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
+ @comment ISO
+ @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
+ @cindex butterfly
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fma} function performs floating-point multiply-add.  This is
+ the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
+ intermediate result is not rounded to the destination type.  This can
+@@ -1933,6 +2009,7 @@ available in three variants, one for each of the three complex types.
+ @comment complex.h
+ @comment ISO
+ @deftypefunx {long double} creall (complex long double @var{z})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return the real part of the complex number @var{z}.
+ @end deftypefun
+ 
+@@ -1945,6 +2022,7 @@ These functions return the real part of the complex number @var{z}.
+ @comment complex.h
+ @comment ISO
+ @deftypefunx {long double} cimagl (complex long double @var{z})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return the imaginary part of the complex number @var{z}.
+ @end deftypefun
+ 
+@@ -1957,6 +2035,7 @@ These functions return the imaginary part of the complex number @var{z}.
+ @comment complex.h
+ @comment ISO
+ @deftypefunx {complex long double} conjl (complex long double @var{z})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return the conjugate value of the complex number
+ @var{z}.  The conjugate of a complex number has the same real part and a
+ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
+@@ -1971,6 +2050,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
+ @comment complex.h
+ @comment ISO
+ @deftypefunx {long double} cargl (complex long double @var{z})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return the argument of the complex number @var{z}.
+ The argument of a complex number is the angle in the complex plane
+ between the positive real axis and a line passing through zero and the
+@@ -1989,6 +2069,7 @@ number.  This angle is measured in the usual fashion and ranges from
+ @comment complex.h
+ @comment ISO
+ @deftypefunx {complex long double} cprojl (complex long double @var{z})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions return the projection of the complex value @var{z} onto
+ the Riemann sphere.  Values with a infinite imaginary part are projected
+ to positive infinity on the real axis, even if the real part is NaN.  If
+@@ -2034,6 +2115,16 @@ as well.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
++@c strtol uses the thread-local pointer to the locale in effect, and
++@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
++@c but if the locale is the global locale, and another thread calls
++@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
++@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
++@c execution of the function, because they re-read the locale data from
++@c the given locale pointer.  We solved this by documenting setlocale as
++@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
++@c AS-Safe; recheck.
+ The @code{strtol} (``string-to-long'') function converts the initial
+ part of @var{string} to a signed integer, which is returned as a value
+ of type @code{long int}.
+@@ -2097,6 +2188,7 @@ There is an example at the end of this section.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wcstol} function is equivalent to the @code{strtol} function
+ in nearly all aspects but handles wide character strings.
+ 
+@@ -2106,6 +2198,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{strtoul} (``string-to-unsigned-long'') function is like
+ @code{strtol} except it converts to an @code{unsigned long int} value.
+ The syntax is the same as described above for @code{strtol}.  The value
+@@ -2124,6 +2217,7 @@ range, or @code{ERANGE} on overflow.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wcstoul} function is equivalent to the @code{strtoul} function
+ in nearly all aspects but handles wide character strings.
+ 
+@@ -2133,6 +2227,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{strtoll} function is like @code{strtol} except that it returns
+ a @code{long long int} value, and accepts numbers with a correspondingly
+ larger range.
+@@ -2149,6 +2244,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wcstoll} function is equivalent to the @code{strtoll} function
+ in nearly all aspects but handles wide character strings.
+ 
+@@ -2158,12 +2254,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
+ @end deftypefun
+ 
+ @comment wchar.h
+ @comment GNU
+ @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wcstoq} function is equivalent to the @code{strtoq} function
+ in nearly all aspects but handles wide character strings.
+ 
+@@ -2173,6 +2271,7 @@ The @code{wcstoq} function is a GNU extension.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{strtoull} function is related to @code{strtoll} the same way
+ @code{strtoul} is related to @code{strtol}.
+ 
+@@ -2182,6 +2281,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wcstoull} function is equivalent to the @code{strtoull} function
+ in nearly all aspects but handles wide character strings.
+ 
+@@ -2191,12 +2291,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ @code{strtouq} is the BSD name for @code{strtoull}.
+ @end deftypefun
+ 
+ @comment wchar.h
+ @comment GNU
+ @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wcstouq} function is equivalent to the @code{strtouq} function
+ in nearly all aspects but handles wide character strings.
+ 
+@@ -2206,6 +2308,7 @@ The @code{wcstouq} function is a GNU extension.
+ @comment inttypes.h
+ @comment ISO
+ @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{strtoimax} function is like @code{strtol} except that it returns
+ a @code{intmax_t} value, and accepts numbers of a corresponding range.
+ 
+@@ -2222,6 +2325,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
+ @comment wchar.h
+ @comment ISO
+ @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
+ in nearly all aspects but handles wide character strings.
+ 
+@@ -2231,6 +2335,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
+ @comment inttypes.h
+ @comment ISO
+ @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{strtoumax} function is related to @code{strtoimax}
+ the same way that @code{strtoul} is related to @code{strtol}.
+ 
+@@ -2241,6 +2346,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
+ @comment wchar.h
+ @comment ISO
+ @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
+ in nearly all aspects but handles wide character strings.
+ 
+@@ -2250,6 +2356,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun {long int} atol (const char *@var{string})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ This function is similar to the @code{strtol} function with a @var{base}
+ argument of @code{10}, except that it need not detect overflow errors.
+ The @code{atol} function is provided mostly for compatibility with
+@@ -2259,6 +2366,7 @@ existing code; using @code{strtol} is more robust.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun int atoi (const char *@var{string})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ This function is like @code{atol}, except that it returns an @code{int}.
+ The @code{atoi} function is also considered obsolete; use @code{strtol}
+ instead.
+@@ -2267,6 +2375,7 @@ instead.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun {long long int} atoll (const char *@var{string})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ This function is similar to @code{atol}, except it returns a @code{long
+ long int}.
+ 
+@@ -2331,6 +2440,9 @@ as well.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
++@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
++@c mpn, but it's all safe.
+ The @code{strtod} (``string-to-double'') function converts the initial
+ part of @var{string} to a floating-point number, which is returned as a
+ value of type @code{double}.
+@@ -2416,6 +2528,7 @@ examining @var{errno} and @var{tailptr}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ These functions are analogous to @code{strtod}, but return @code{float}
+ and @code{long double} values respectively.  They report errors in the
+ same way as @code{strtod}.  @code{strtof} can be substantially faster
+@@ -2435,6 +2548,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
+ equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
+ @code{strtold} functions but it handles wide character string.
+@@ -2447,6 +2561,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun double atof (const char *@var{string})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ This function is similar to the @code{strtod} function, except that it
+ need not detect overflow and underflow errors.  The @code{atof} function
+ is provided mostly for compatibility with existing code; using
+@@ -2473,6 +2588,7 @@ All these functions are defined in @file{stdlib.h}.
+ @comment stdlib.h
+ @comment SVID, Unix98
+ @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
++@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
+ The function @code{ecvt} converts the floating-point number @var{value}
+ to a string with at most @var{ndigit} decimal digits.  The
+ returned string contains no decimal point or sign. The first digit of
+@@ -2498,6 +2614,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
+ @comment stdlib.h
+ @comment SVID, Unix98
+ @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
++@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
+ The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
+ the number of digits after the decimal point.  If @var{ndigit} is less
+ than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
+@@ -2516,6 +2633,9 @@ to @code{fcvt}.
+ @comment stdlib.h
+ @comment SVID, Unix98
+ @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
++@c args_value if it's too large, but gcvt never exercises this path.  
+ @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
+ ndigit, value}.  It is provided only for compatibility's sake.  It
+ returns @var{buf}.
+@@ -2530,6 +2650,7 @@ functions that take @code{long double} arguments.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
++@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
+ This function is equivalent to @code{ecvt} except that it takes a
+ @code{long double} for the first parameter and that @var{ndigit} is
+ restricted by the precision of a @code{long double}.
+@@ -2538,6 +2659,7 @@ restricted by the precision of a @code{long double}.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
++@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
+ This function is equivalent to @code{fcvt} except that it
+ takes a @code{long double} for the first parameter and that @var{ndigit} is
+ restricted by the precision of a @code{long double}.
+@@ -2546,6 +2668,7 @@ restricted by the precision of a @code{long double}.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is equivalent to @code{gcvt} except that it takes a
+ @code{long double} for the first parameter and that @var{ndigit} is
+ restricted by the precision of a @code{long double}.
+@@ -2566,6 +2689,7 @@ user-supplied buffer.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{ecvt_r} function is the same as @code{ecvt}, except
+ that it places its result into the user-specified buffer pointed to by
+ @var{buf}, with length @var{len}.  The return value is @code{-1} in
+@@ -2577,6 +2701,7 @@ This function is a GNU extension.
+ @comment stdlib.h
+ @comment SVID, Unix98
+ @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fcvt_r} function is the same as @code{fcvt}, except that it
+ places its result into the user-specified buffer pointed to by
+ @var{buf}, with length @var{len}.  The return value is @code{-1} in
+@@ -2588,6 +2713,7 @@ This function is a GNU extension.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{qecvt_r} function is the same as @code{qecvt}, except
+ that it places its result into the user-specified buffer pointed to by
+ @var{buf}, with length @var{len}.  The return value is @code{-1} in
+@@ -2599,6 +2725,7 @@ This function is a GNU extension.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{qfcvt_r} function is the same as @code{qfcvt}, except
+ that it places its result into the user-specified buffer pointed to by
+ @var{buf}, with length @var{len}.  The return value is @code{-1} in
diff --git a/patches/manual-document-mt-safety-ctype-wip.patch b/patches/manual-document-mt-safety-ctype-wip.patch
new file mode 100644
index 0000000..2751123
--- /dev/null
+++ b/patches/manual-document-mt-safety-ctype-wip.patch
@@ -0,0 +1,34 @@
+Bottom: 7c3df0362db41863af2f7f886b7e7f14cd2cb7c5
+Top:    cd865dbc67422bb0360d4e2692cc5f7ec6aea252
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-06-26 10:46:43 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/ctype.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/ctype.texi b/manual/ctype.texi
+index 3d13571..f05d509 100644
+--- a/manual/ctype.texi
++++ b/manual/ctype.texi
+@@ -691,6 +691,7 @@ This type is defined in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wctrans_t wctrans (const char *@var{property})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ The @code{wctrans} function has to be used to find out whether a named
+ mapping is defined in the current locale selected for the
+ @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
+@@ -713,6 +714,7 @@ These functions are declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
++@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ @code{towctrans} maps the input character @var{wc}
+ according to the rules of the mapping for which @var{desc} is a
+ descriptor, and returns the value it finds.  @var{desc} must be
diff --git a/patches/manual-document-mt-safety-locale.patch b/patches/manual-document-mt-safety-locale.patch
new file mode 100644
index 0000000..def6108
--- /dev/null
+++ b/patches/manual-document-mt-safety-locale.patch
@@ -0,0 +1,29 @@
+Bottom: e742d008a73a9279e0234fe6e8416e0b74b22645
+Top:    b6a7df74e1dd769dd2a68885320bde2bae038277
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-06-26 10:46:40 -0300
+
+Thread safety documentation.
+
+for  ChangeLog
+
+	* manual/locale.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/locale.texi b/manual/locale.texi
+index 2f10fcd..323268d 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -224,6 +224,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @comment locale.h
+ @comment ISO
+ @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
++@safety{@mtunsafe{uunguard}}
++@c This function is MT-Safe, but uses of the global locale object are
++@c unguarded in functions that ought to be MT-Safe, so we're ruling out
++@c the use of this function once threads are started.
+ The function @code{setlocale} sets the current locale for category
+ @var{category} to @var{locale}.  A list of all the locales the system
+ provides can be created by running
diff --git a/patches/manual-document-mt-safety-math.patch b/patches/manual-document-mt-safety-math.patch
new file mode 100644
index 0000000..14df6f3
--- /dev/null
+++ b/patches/manual-document-mt-safety-math.patch
@@ -0,0 +1,26 @@
+Bottom: b6a7df74e1dd769dd2a68885320bde2bae038277
+Top:    7c3df0362db41863af2f7f886b7e7f14cd2cb7c5
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-06-26 10:46:41 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/math.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/math.texi b/manual/math.texi
+index 193d415..fd5d0c8 100644
+--- a/manual/math.texi
++++ b/manual/math.texi
+@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
+ @comment math.h
+ @comment ISO
+ @deftypefunx int ilogbl (long double @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ These functions are equivalent to the corresponding @code{logb}
+ functions except that they return signed integer values.
+ @end deftypefun
diff --git a/patches/manual-document-mt-safety-stdio.patch b/patches/manual-document-mt-safety-stdio.patch
new file mode 100644
index 0000000..2088f94
--- /dev/null
+++ b/patches/manual-document-mt-safety-stdio.patch
@@ -0,0 +1,1117 @@
+Bottom: 4d06ccc13c580c9f8bc1ebbdc407011933a41e89
+Top:    e742d008a73a9279e0234fe6e8416e0b74b22645
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-06-26 10:46:40 -0300
+
+Thread safety documentation.
+
+for  ChangeLog
+
+	* manual/stdio.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/stdio.texi b/manual/stdio.texi
+index 3f9be9bc5..7809dd4 100644
+--- a/manual/stdio.texi
++++ b/manual/stdio.texi
+@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
++@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
++@c fopen may leak the list lock if cancelled within _IO_link_in.
+ The @code{fopen} function opens a stream for I/O to the file
+ @var{filename}, and returns a pointer to the stream.
+ 
+@@ -265,6 +267,7 @@ Locks}.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
++@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
+ This function is similar to @code{fopen} but the stream it returns a
+ pointer for is opened using @code{open64}.  Therefore this stream can be
+ used even on files larger then @math{2^31} bytes on 32 bit machines.
+@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
++@c Like most I/O operations, this one is guarded by a recursive lock,
++@c released even upon cancellation, but cancellation may leak file
++@c descriptors and leave the stream in an inconsistent state (e.g.,
++@c still bound to the closed descriptor).  Also, if the stream is
++@c part-way through a significant update (say running freopen) when a
++@c signal handler calls freopen again on the same stream, the result is
++@c likely to be an inconsistent stream, and the possibility of closing
++@c twice file descriptor number that the stream used to use, the second
++@c time when it might have already been reused by another thread.
+ This function is like a combination of @code{fclose} and @code{fopen}.
+ It first closes the stream referred to by @var{stream}, ignoring any
+ errors that are detected in the process.  (Because errors are ignored,
+@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+ This function is similar to @code{freopen}.  The only difference is that
+ on 32 bit machine the stream returned is able to read beyond the
+ @math{2^31} bytes limits imposed by the normal interface.  It should be
+@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun int __freadable (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{__freadable} function determines whether the stream
+ @var{stream} was opened to allow reading.  In this case the return value
+ is nonzero.  For write-only streams the function returns zero.
+@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun int __fwritable (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{__fwritable} function determines whether the stream
+ @var{stream} was opened to allow writing.  In this case the return value
+ is nonzero.  For read-only streams the function returns zero.
+@@ -364,6 +380,7 @@ They provide even finer-grained information.
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun int __freading (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{__freading} function determines whether the stream
+ @var{stream} was last read from or whether it is opened read-only.  In
+ this case the return value is nonzero, otherwise it is zero.
+@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun int __fwriting (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{__fwriting} function determines whether the stream
+ @var{stream} was last written to or whether it is opened write-only.  In
+ this case the return value is nonzero, otherwise it is zero.
+@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fclose (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
++@c After fclose, it is undefined behavior to use the stream it points
++@c to.  Therefore, one must only call fclose when the stream is
++@c otherwise unused.  Concurrent uses started before will complete
++@c successfully because of the lock, which makes it MT-Safe.  Calling it
++@c from a signal handler is perfectly safe if the stream is known to be
++@c no longer used, which is a precondition for fclose to be safe in the
++@c first place; since this is no further requirement, fclose is safe for
++@c use in async signals too.  After calling fclose, you can no longer
++@c use the stream, not even to fclose it again, so its memory and file
++@c descriptor may leak if fclose is canceled before @c releasing them.
++@c That the stream must be unused and it becomes unused after the call
++@c is what would enable fclose to be AS- and AC-Safe while freopen
++@c isn't.  However, because of the possibility of leaving __gconv_lock
++@c taken upon cancellation, AC-Safety is lost.
+ This function causes @var{stream} to be closed and the connection to
+ the corresponding file to be broken.  Any buffered output is written
+ and any buffered input is discarded.  The @code{fclose} function returns
+@@ -418,6 +451,12 @@ another function.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int fcloseall (void)
++@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
++@c Like fclose, using any previously-opened streams after fcloseall is
++@c undefined.  However, the implementation of fcloseall isn't equivalent
++@c to calling fclose for all streams: it just flushes and unbuffers all
++@c streams, without any locking.  It's the flushing without locking that
++@c makes it unsafe.
+ This function causes all open streams of the process to be closed and
+ the connection to corresponding files to be broken.  All buffered data
+ is written and any buffered input is discarded.  The @code{fcloseall}
+@@ -474,6 +513,9 @@ perform the stream locking in the application code.
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun void flockfile (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
++@c There's no way to tell whether the lock was acquired before or after
++@c cancellation so as to unlock only when appropriate.
+ The @code{flockfile} function acquires the internal locking object
+ associated with the stream @var{stream}.  This ensures that no other
+ thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
+@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun int ftrylockfile (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+ The @code{ftrylockfile} function tries to acquire the internal locking
+ object associated with the stream @var{stream} just like
+ @code{flockfile}.  But unlike @code{flockfile} this function does not
+@@ -496,6 +539,7 @@ another thread.
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun void funlockfile (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+ The @code{funlockfile} function releases the internal locking object of
+ the stream @var{stream}. The stream must have been locked before by a
+ call to @code{flockfile} or a successful call of @code{ftrylockfile}.
+@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
++@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
++@c Changing the implicit-locking status of a stream while it's in use by
++@c another thread may cause a lock to be implicitly acquired and not
++@c released, or vice-versa.  This function should probably hold the lock
++@c while changing this setting, to make sure we don't change it while
++@c there are any concurrent uses.  Meanwhile, callers should acquire the
++@c lock themselves to be safe, and even concurrent uses with external
++@c locking will be fine, as long as functions that require external
++@c locking are not called without holding locks.
+ 
+ The @code{__fsetlocking} function can be used to select whether the
+ stream operations will implicitly acquire the locking object of the
+@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
+ variants will implicitly lock the stream.
+ 
+ @item FSETLOCKING_BYCALLER
++@c ??? Does the possibility of disabling implicit locking on any stream
++@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
++@c ones?
+ After the @code{__fsetlocking} function returns the user is responsible
+ for locking the stream.  None of the stream operations will implicitly
+ do this anymore until the state is set back to
+@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
++@c Querying is always safe, but changing the stream when it's in use
++@c upthread may be problematic.  Like most lock-acquiring functions,
++@c this one may leak the lock if canceled.
+ 
+ The @code{fwide} function can be used to set and query the state of the
+ orientation of the stream @var{stream}.  If the @var{mode} parameter has
+@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fputc (int @var{c}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
++@c If the stream is in use when interrupted by a signal, the recursive
++@c lock won't help ensure the stream is consistent; indeed, if fputc
++@c gets a signal precisely before the post-incremented _IO_write_ptr
++@c value is stored, we may overwrite the interrupted write.  Conversely,
++@c depending on compiler optimizations, the incremented _IO_write_ptr
++@c may be stored before the character is stored in the buffer,
++@c corrupting the stream if async cancel hits between the two stores.
++@c There may be other reasons for AS- and AC-unsafety in the overflow
++@c cases.
+ The @code{fputc} function converts the character @var{c} to type
+ @code{unsigned char}, and writes it to the stream @var{stream}.
+ @code{EOF} is returned if a write error occurs; otherwise the
+@@ -820,6 +890,7 @@ character @var{c} is returned.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+ The @code{fputwc} function writes the wide character @var{wc} to the
+ stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
+ otherwise the character @var{wc} is returned.
+@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
++@c The unlocked functions can't possibly satisfy the MT-Safety
++@c requirements on their own, because they require external locking for
++@c safety.
+ The @code{fputc_unlocked} function is equivalent to the @code{fputc}
+ function except that it does not implicitly lock the stream.
+ @end deftypefun
+@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
+ @comment wchar.h
+ @comment POSIX
+ @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -844,6 +920,7 @@ This function is a GNU extension.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int putc (int @var{c}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+ This is just like @code{fputc}, except that most systems implement it as
+ a macro, making it faster.  One consequence is that it may evaluate the
+ @var{stream} argument more than once, which is an exception to the
+@@ -854,6 +931,7 @@ use for writing a single character.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+ This is just like @code{fputwc}, except that it can be implement as
+ a macro, making it faster.  One consequence is that it may evaluate the
+ @var{stream} argument more than once, which is an exception to the
+@@ -864,6 +942,7 @@ use for writing a single wide character.
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{putc_unlocked} function is equivalent to the @code{putc}
+ function except that it does not implicitly lock the stream.
+ @end deftypefun
+@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{putwc_unlocked} function is equivalent to the @code{putwc}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -880,6 +960,7 @@ This function is a GNU extension.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int putchar (int @var{c})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+ The @code{putchar} function is equivalent to @code{putc} with
+ @code{stdout} as the value of the @var{stream} argument.
+ @end deftypefun
+@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
+ @comment wchar.h
+ @comment ISO
+ @deftypefun wint_t putwchar (wchar_t @var{wc})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+ The @code{putwchar} function is equivalent to @code{putwc} with
+ @code{stdout} as the value of the @var{stream} argument.
+ @end deftypefun
+@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun int putchar_unlocked (int @var{c})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{putchar_unlocked} function is equivalent to the @code{putchar}
+ function except that it does not implicitly lock the stream.
+ @end deftypefun
+@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -910,6 +994,7 @@ This function is a GNU extension.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+ The function @code{fputs} writes the string @var{s} to the stream
+ @var{stream}.  The terminating null character is not written.
+ This function does @emph{not} add a newline character, either.
+@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+ The function @code{fputws} writes the wide character string @var{ws} to
+ the stream @var{stream}.  The terminating null character is not written.
+ This function does @emph{not} add a newline character, either.  It
+@@ -945,6 +1031,7 @@ a non-negative value.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fputs_unlocked} function is equivalent to the @code{fputs}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -954,6 +1041,7 @@ This function is a GNU extension.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fputws_unlocked} function is equivalent to the @code{fputws}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -963,6 +1051,7 @@ This function is a GNU extension.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int puts (const char *@var{s})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{puts} function writes the string @var{s} to the stream
+ @code{stdout} followed by a newline.  The terminating null character of
+ the string is not written.  (Note that @code{fputs} does @emph{not}
+@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
+ @comment stdio.h
+ @comment SVID
+ @deftypefun int putw (int @var{w}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function writes the word @var{w} (that is, an @code{int}) to
+ @var{stream}.  It is provided for compatibility with SVID, but we
+ recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
+@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fgetc (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
++@c Same caveats as fputc, but instead of losing a write in case of async
++@c signals, we may read the same character more than once, and the
++@c stream may be left in odd states due to cancellation in the underflow
++@c cases.
+ This function reads the next character as an @code{unsigned char} from
+ the stream @var{stream} and returns its value, converted to an
+ @code{int}.  If an end-of-file condition or read error occurs,
+@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
+ @comment wchar.h
+ @comment ISO
+ @deftypefun wint_t fgetwc (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function reads the next wide character from the stream @var{stream}
+ and returns its value.  If an end-of-file condition or read error
+ occurs, @code{WEOF} is returned instead.
+@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun int fgetc_unlocked (FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
+ function except that it does not implicitly lock the stream.
+ @end deftypefun
+@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -1047,6 +1145,7 @@ This function is a GNU extension.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int getc (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This is just like @code{fgetc}, except that it is permissible (and
+ typical) for it to be implemented as a macro that evaluates the
+ @var{stream} argument more than once.  @code{getc} is often highly
+@@ -1057,6 +1156,7 @@ character.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun wint_t getwc (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This is just like @code{fgetwc}, except that it is permissible for it to
+ be implemented as a macro that evaluates the @var{stream} argument more
+ than once.  @code{getwc} can be highly optimized, so it is usually the
+@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun int getc_unlocked (FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{getc_unlocked} function is equivalent to the @code{getc}
+ function except that it does not implicitly lock the stream.
+ @end deftypefun
+@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{getwc_unlocked} function is equivalent to the @code{getwc}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -1082,6 +1184,7 @@ This function is a GNU extension.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int getchar (void)
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
+ as the value of the @var{stream} argument.
+ @end deftypefun
+@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun wint_t getwchar (void)
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
+ as the value of the @var{stream} argument.
+ @end deftypefun
+@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun int getchar_unlocked (void)
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{getchar_unlocked} function is equivalent to the @code{getchar}
+ function except that it does not implicitly lock the stream.
+ @end deftypefun
+@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun wint_t getwchar_unlocked (void)
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
+ @comment stdio.h
+ @comment SVID
+ @deftypefun int getw (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function reads a word (that is, an @code{int}) from @var{stream}.
+ It's provided for compatibility with SVID.  We recommend you use
+ @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
+@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function reads an entire line from @var{stream}, storing the text
+ (including the newline and a terminating null character) in a buffer
+ and storing the buffer address in @code{*@var{lineptr}}.
+@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
+ @comment stdio.h
+ @comment GNU
+ @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function is like @code{getline} except that the character which
+ tells it to stop reading is not necessarily newline.  The argument
+ @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
+@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{fgets} function reads characters from the stream @var{stream}
+ up to and including a newline character and stores them in the string
+ @var{s}, adding a null character to mark the end of the string.  You
+@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{fgetws} function reads wide characters from the stream
+ @var{stream} up to and including a newline character and stores them in
+ the string @var{ws}, adding a null wide character to mark the end of the
+@@ -1280,6 +1391,7 @@ message.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fgets_unlocked} function is equivalent to the @code{fgets}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -1289,6 +1401,7 @@ This function is a GNU extension.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -1298,6 +1411,7 @@ This function is a GNU extension.
+ @comment stdio.h
+ @comment ISO
+ @deftypefn {Deprecated function} {char *} gets (char *@var{s})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The function @code{gets} reads characters from the stream @code{stdin}
+ up to the next newline character, and stores them in the string @var{s}.
+ The newline character is discarded (note that this differs from the
+@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{ungetc} function pushes back the character @var{c} onto the
+ input stream @var{stream}.  So the next input from @var{stream} will
+ read @var{c} before anything else.
+@@ -1425,6 +1540,7 @@ will encounter end of file.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{ungetwc} function behaves just like @code{ungetc} just that it
+ pushes back a wide character.
+ @end deftypefun
+@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function reads up to @var{count} objects of size @var{size} into
+ the array @var{data}, from the stream @var{stream}.  It returns the
+ number of objects actually read, which might be less than @var{count} if
+@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fread_unlocked} function is equivalent to the @code{fread}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -1507,6 +1625,7 @@ This function is a GNU extension.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function writes up to @var{count} objects of size @var{size} from
+ the array @var{data}, to the stream @var{stream}.  The return value is
+ normally @var{count}, if the call succeeds.  Any other value indicates
+@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int printf (const char *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ The @code{printf} function prints the optional arguments under the
+ control of the template string @var{template} to the stream
+ @code{stdout}.  It returns the number of characters printed, or a
+@@ -2266,6 +2387,7 @@ negative value if there was an output error.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ The @code{wprintf} function prints the optional arguments under the
+ control of the wide template string @var{template} to the stream
+ @code{stdout}.  It returns the number of wide characters printed, or a
+@@ -2275,6 +2397,7 @@ negative value if there was an output error.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This function is just like @code{printf}, except that the output is
+ written to the stream @var{stream} instead of @code{stdout}.
+ @end deftypefun
+@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This function is just like @code{wprintf}, except that the output is
+ written to the stream @var{stream} instead of @code{stdout}.
+ @end deftypefun
+@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This is like @code{printf}, except that the output is stored in the character
+ array @var{s} instead of written to a stream.  A null character is written
+ to mark the end of the string.
+@@ -2313,6 +2438,7 @@ described below.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This is like @code{wprintf}, except that the output is stored in the
+ wide character array @var{ws} instead of written to a stream.  A null
+ wide character is written to mark the end of the string.  The @var{size}
+@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ The @code{snprintf} function is similar to @code{sprintf}, except that
+ the @var{size} argument specifies the maximum number of characters to
+ produce.  The trailing null character is counted towards this limit, so
+@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This function is similar to @code{sprintf}, except that it dynamically
+ allocates a string (as with @code{malloc}; @pxref{Unconstrained
+ Allocation}) to hold the output, instead of putting the output in a
+@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
++@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+ This function is similar to @code{asprintf}, except that it uses the
+ obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
+ 
+@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This function is similar to @code{printf} except that, instead of taking
+ a variable number of arguments directly, it takes an argument list
+ pointer @var{ap}.
+@@ -2517,6 +2647,7 @@ pointer @var{ap}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This function is similar to @code{wprintf} except that, instead of taking
+ a variable number of arguments directly, it takes an argument list
+ pointer @var{ap}.
+@@ -2525,6 +2656,12 @@ pointer @var{ap}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
++@c Although vfprintf sets up a cleanup region to release the lock on the
++@c output stream, it doesn't use it to release args_value or string in
++@c case of cancellation.  This doesn't make it unsafe, but cancelling it
++@c may leak memory.  The unguarded use of __printf_function_table is
++@c also of concern for all callers.
+ This is the equivalent of @code{fprintf} with the variable argument list
+ specified directly as for @code{vprintf}.
+ @end deftypefun
+@@ -2532,6 +2669,7 @@ specified directly as for @code{vprintf}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This is the equivalent of @code{fwprintf} with the variable argument list
+ specified directly as for @code{vwprintf}.
+ @end deftypefun
+@@ -2539,6 +2677,7 @@ specified directly as for @code{vwprintf}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This is the equivalent of @code{sprintf} with the variable argument list
+ specified directly as for @code{vprintf}.
+ @end deftypefun
+@@ -2546,6 +2685,7 @@ specified directly as for @code{vprintf}.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This is the equivalent of @code{swprintf} with the variable argument list
+ specified directly as for @code{vwprintf}.
+ @end deftypefun
+@@ -2553,6 +2693,7 @@ specified directly as for @code{vwprintf}.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This is the equivalent of @code{snprintf} with the variable argument list
+ specified directly as for @code{vprintf}.
+ @end deftypefun
+@@ -2560,6 +2701,7 @@ specified directly as for @code{vprintf}.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ The @code{vasprintf} function is the equivalent of @code{asprintf} with the
+ variable argument list specified directly as for @code{vprintf}.
+ @end deftypefun
+@@ -2567,6 +2709,10 @@ variable argument list specified directly as for @code{vprintf}.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
++@c The obstack is not guarded by mutexes, it might be at an inconsistent
++@c state within a signal handler, and it could be left at an
++@c inconsistent state in case of cancellation.
+ The @code{obstack_vprintf} function is the equivalent of
+ @code{obstack_printf} with the variable argument list specified directly
+ as for @code{vprintf}.@refill
+@@ -2639,6 +2785,7 @@ file @file{printf.h}.
+ @comment printf.h
+ @comment GNU
+ @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
+ This function returns information about the number and types of
+ arguments expected by the @code{printf} template string @var{template}.
+ The information is stored in the array @var{argtypes}; each element of
+@@ -2879,6 +3026,12 @@ The function to register a new output conversion is
+ @comment printf.h
+ @comment GNU
+ @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
++@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
++@c This function is guarded by the global non-recursive libc lock, but
++@c users of the variables it sets aren't, and those should be MT-Safe,
++@c so we're ruling out the use of this extension with threads.  Calling
++@c it from a signal handler may self-deadlock, and cancellation may
++@c leave the lock held, besides leaking allocated memory.
+ This function defines the conversion specifier character @var{spec}.
+ Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
+ You can redefine the built-in conversions like @samp{%s}, but flag
+@@ -3125,6 +3278,12 @@ which implement a special way to print floating-point numbers.
+ @comment printf.h
+ @comment GNU
+ @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
++@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
++@c This is meant to be called by vfprintf, that should hold the lock on
++@c the stream, but if this function is called directly, output will be
++@c racy, besides the uses of the global locale object while other
++@c threads may be changing it and the possbility of leaving the stream
++@c object in an inconsistent state in case of cancellation.
+ Print a given floating point number as for the format @code{%f} except
+ that there is a postfix character indicating the divisor for the
+ number to make this less than 1000.  There are two possible divisors:
+@@ -3183,6 +3342,7 @@ provide the function which returns information about the arguments.
+ @comment printf.h
+ @comment GNU
+ @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function will return in @var{argtypes} the information about the
+ used parameters in the way the @code{vfprintf} implementation expects
+ it.  The format always takes one argument.
+@@ -3799,6 +3959,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int scanf (const char *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ The @code{scanf} function reads formatted input from the stream
+ @code{stdin} under the control of the template string @var{template}.
+ The optional arguments are pointers to the places which receive the
+@@ -3813,6 +3974,7 @@ template, then @code{EOF} is returned.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ The @code{wscanf} function reads formatted input from the stream
+ @code{stdin} under the control of the template string @var{template}.
+ The optional arguments are pointers to the places which receive the
+@@ -3827,6 +3989,7 @@ template, then @code{WEOF} is returned.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This function is just like @code{scanf}, except that the input is read
+ from the stream @var{stream} instead of @code{stdin}.
+ @end deftypefun
+@@ -3834,6 +3997,7 @@ from the stream @var{stream} instead of @code{stdin}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This function is just like @code{wscanf}, except that the input is read
+ from the stream @var{stream} instead of @code{stdin}.
+ @end deftypefun
+@@ -3841,6 +4005,7 @@ from the stream @var{stream} instead of @code{stdin}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This is like @code{scanf}, except that the characters are taken from the
+ null-terminated string @var{s} instead of from a stream.  Reaching the
+ end of the string is treated as an end-of-file condition.
+@@ -3854,6 +4019,7 @@ as an argument to receive a string read under control of the @samp{%s},
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This is like @code{wscanf}, except that the characters are taken from the
+ null-terminated string @var{ws} instead of from a stream.  Reaching the
+ end of the string is treated as an end-of-file condition.
+@@ -3880,6 +4046,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This function is similar to @code{scanf}, but instead of taking
+ a variable number of arguments directly, it takes an argument list
+ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
+@@ -3888,6 +4055,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This function is similar to @code{wscanf}, but instead of taking
+ a variable number of arguments directly, it takes an argument list
+ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
+@@ -3896,6 +4064,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This is the equivalent of @code{fscanf} with the variable argument list
+ specified directly as for @code{vscanf}.
+ @end deftypefun
+@@ -3903,6 +4072,7 @@ specified directly as for @code{vscanf}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+ This is the equivalent of @code{fwscanf} with the variable argument list
+ specified directly as for @code{vwscanf}.
+ @end deftypefun
+@@ -3910,6 +4080,7 @@ specified directly as for @code{vwscanf}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This is the equivalent of @code{sscanf} with the variable argument list
+ specified directly as for @code{vscanf}.
+ @end deftypefun
+@@ -3917,6 +4088,7 @@ specified directly as for @code{vscanf}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
++@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
+ This is the equivalent of @code{swscanf} with the variable argument list
+ specified directly as for @code{vwscanf}.
+ @end deftypefun
+@@ -3966,6 +4138,7 @@ This symbol is declared in @file{wchar.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int feof (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+ The @code{feof} function returns nonzero if and only if the end-of-file
+ indicator for the stream @var{stream} is set.
+ 
+@@ -3975,6 +4148,9 @@ This symbol is declared in @file{stdio.h}.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int feof_unlocked (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c There isn't much of a thread unsafety risk in reading a flag word and
++@c testing a bit in it.
+ The @code{feof_unlocked} function is equivalent to the @code{feof}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -3986,6 +4162,7 @@ This symbol is declared in @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int ferror (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+ The @code{ferror} function returns nonzero if and only if the error
+ indicator for the stream @var{stream} is set, indicating that an error
+ has occurred on a previous operation on the stream.
+@@ -3996,6 +4173,7 @@ This symbol is declared in @file{stdio.h}.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int ferror_unlocked (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{ferror_unlocked} function is equivalent to the @code{ferror}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -4023,6 +4201,7 @@ function.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun void clearerr (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+ This function clears the end-of-file and error indicators for the
+ stream @var{stream}.
+ 
+@@ -4033,6 +4212,7 @@ end-of-file indicator for the stream.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun void clearerr_unlocked (FILE *@var{stream})
++@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
+ The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
+ function except that it does not implicitly lock the stream.
+ 
+@@ -4146,6 +4326,7 @@ are declared in the header file @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {long int} ftell (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function returns the current file position of the stream
+ @var{stream}.
+ 
+@@ -4158,6 +4339,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun off_t ftello (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{ftello} function is similar to @code{ftell}, except that it
+ returns a value of type @code{off_t}.  Systems which support this type
+ use it to describe all file positions, unlike the POSIX specification
+@@ -4181,6 +4363,7 @@ LFS interface transparently replaces the old interface.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun off64_t ftello64 (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function is similar to @code{ftello} with the only difference that
+ the return value is of type @code{off64_t}.  This also requires that the
+ stream @var{stream} was opened using either @code{fopen64},
+@@ -4196,6 +4379,7 @@ and so transparently replaces the old interface.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{fseek} function is used to change the file position of the
+ stream @var{stream}.  The value of @var{whence} must be one of the
+ constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
+@@ -4215,6 +4399,7 @@ place in the file.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function is similar to @code{fseek} but it corrects a problem with
+ @code{fseek} in a system with POSIX types.  Using a value of type
+ @code{long int} for the offset is not compatible with POSIX.
+@@ -4238,6 +4423,7 @@ LFS interface transparently replaces the old interface.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function is similar to @code{fseeko} with the only difference that
+ the @var{offset} parameter is of type @code{off64_t}.  This also
+ requires that the stream @var{stream} was opened using either
+@@ -4286,6 +4472,7 @@ the offset provided is relative to the end of the file.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun void rewind (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{rewind} function positions the stream @var{stream} at the
+ beginning of the file.  It is equivalent to calling @code{fseek} or
+ @code{fseeko} on the @var{stream} with an @var{offset} argument of
+@@ -4407,6 +4594,7 @@ representation.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function stores the value of the file position indicator for the
+ stream @var{stream} in the @code{fpos_t} object pointed to by
+ @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
+@@ -4421,6 +4609,7 @@ interface transparently replaces the old interface.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function is similar to @code{fgetpos} but the file position is
+ returned in a variable of type @code{fpos64_t} to which @var{position}
+ points.
+@@ -4433,6 +4622,7 @@ and so transparently replaces the old interface.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function sets the file position indicator for the stream @var{stream}
+ to the position @var{position}, which must have been set by a previous
+ call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
+@@ -4449,6 +4639,7 @@ interface transparently replaces the old interface.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function is similar to @code{fsetpos} but the file position used
+ for positioning is provided in a variable of type @code{fpos64_t} to
+ which @var{position} points.
+@@ -4560,6 +4751,7 @@ If you want to flush the buffered output at another time, call
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fflush (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function causes any buffered output on @var{stream} to be delivered
+ to the file.  If @var{stream} is a null pointer, then
+ @code{fflush} causes buffered output on @emph{all} open output streams
+@@ -4572,6 +4764,7 @@ otherwise.
+ @comment stdio.h
+ @comment POSIX
+ @deftypefun int fflush_unlocked (FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{fflush_unlocked} function is equivalent to the @code{fflush}
+ function except that it does not implicitly lock the stream.
+ @end deftypefun
+@@ -4588,6 +4781,7 @@ exported.
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun void _flushlbf (void)
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ The @code{_flushlbf} function flushes all line buffered streams
+ currently opened.
+ 
+@@ -4609,6 +4803,7 @@ situation a non-standard function introduced in Solaris and available in
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun void __fpurge (FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+ The @code{__fpurge} function causes the buffer of the stream
+ @var{stream} to be emptied.  If the stream is currently in read mode all
+ input in the buffer is lost.  If the stream is in output mode the
+@@ -4633,6 +4828,7 @@ file @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function is used to specify that the stream @var{stream} should
+ have the buffering mode @var{mode}, which can be either @code{_IOFBF}
+ (for full buffering), @code{_IOLBF} (for line buffering), or
+@@ -4710,6 +4906,7 @@ efficient size.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ If @var{buf} is a null pointer, the effect of this function is
+ equivalent to calling @code{setvbuf} with a @var{mode} argument of
+ @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
+@@ -4723,6 +4920,7 @@ use @code{setvbuf} in all new programs.
+ @comment stdio.h
+ @comment BSD
+ @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
+ Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
+ buffer.  The @var{size} argument specifies the length of @var{buf}.
+@@ -4734,6 +4932,7 @@ This function is provided for compatibility with old BSD code.  Use
+ @comment stdio.h
+ @comment BSD
+ @deftypefun void setlinebuf (FILE *@var{stream})
++@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+ This function makes @var{stream} be line buffered, and allocates the
+ buffer for you.
+ 
+@@ -4748,6 +4947,7 @@ using a non-standard function introduced in Solaris and available in
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun int __flbf (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{__flbf} function will return a nonzero value in case the
+ stream @var{stream} is line buffered.  Otherwise the return value is
+ zero.
+@@ -4761,6 +4961,7 @@ much of it is used.  These functions were also introduced in Solaris.
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun size_t __fbufsize (FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
+ The @code{__fbufsize} function return the size of the buffer in the
+ stream @var{stream}.  This value can be used to optimize the use of the
+ stream.
+@@ -4771,6 +4972,7 @@ This function is declared in the @file{stdio_ext.h} header.
+ @comment stdio_ext.h
+ @comment GNU
+ @deftypefun size_t __fpending (FILE *@var{stream})
++@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
+ The @code{__fpending}
+ function returns the number of bytes currently in the output buffer.
+ For wide-oriented stream the measuring unit is wide characters.  This
+@@ -4818,6 +5020,10 @@ I/O to a string or memory buffer.  These facilities are declared in
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
++@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
++@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
++@c bringing with it additional potential for async trouble with
++@c list_all_lock.
+ This function opens a stream that allows the access specified by the
+ @var{opentype} argument, that reads from or writes to the buffer specified
+ by the argument @var{buf}.  This array must be at least @var{size} bytes long.
+@@ -4870,6 +5076,7 @@ Got r
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
++@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+ This function opens a stream for writing to a buffer.  The buffer is
+ allocated dynamically and grown as necessary, using @code{malloc}.
+ After you've closed the stream, this buffer is your responsibility to
+@@ -4985,6 +5192,7 @@ closed.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
++@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+ This function actually creates the stream for communicating with the
+ @var{cookie} using the functions in the @var{io-functions} argument.
+ The @var{opentype} argument is interpreted as for @code{fopen};
+@@ -5166,6 +5374,7 @@ It is a non-recoverable error.
+ @comment fmtmsg.h
+ @comment XPG
+ @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
+ Display a message described by its parameters on the device(s) specified
+ in the @var{classification} parameter.  The @var{label} parameter
+ identifies the source of the message.  The string should consist of two
+@@ -5306,6 +5515,7 @@ introducing new classes in a running program.  One could use the
+ but this is toilsome.
+ 
+ @deftypefun int addseverity (int @var{severity}, const char *@var{string})
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
+ This function allows the introduction of new severity classes which can be
+ addressed by the @var{severity} parameter of the @code{fmtmsg} function.
+ The @var{severity} parameter of @code{addseverity} must match the value
diff --git a/patches/manual-document-mt-safety-wip.patch b/patches/manual-document-mt-safety-wip.patch
new file mode 100644
index 0000000..31af2c2
--- /dev/null
+++ b/patches/manual-document-mt-safety-wip.patch
@@ -0,0 +1,3477 @@
+Bottom: cd865dbc67422bb0360d4e2692cc5f7ec6aea252
+Top:    7e6a83a1413d637cd4076c377f2dc632dc928b39
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-06-26 10:46:48 -0300
+
+Thread safety documentation.
+
+for ChangeLog
+
+	* manual/???.texi: Document thread safety properties.
+
+
+---
+
+diff --git a/manual/argp.texi b/manual/argp.texi
+index c9fbe97..5322f91 100644
+--- a/manual/argp.texi
++++ b/manual/argp.texi
+@@ -36,6 +36,35 @@ needed in @code{main}.
+ @comment argp.h
+ @comment GNU
+ @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
++@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
++@c Optionally alloca()tes standard help options, initializes the parser,
++@c then parses individual args in a loop, and then finalizes.
++@c  parser_init
++@c   calc_sizes ok
++@c    option_is_end ok
++@c   malloc
++@c   parser_convert glocale
++@c    convert_options glocale
++@c     option_is_end ok
++@c     option_is_short ok
++@c      isprint, but locale may change within the loop
++@c     find_long_option ok
++@c   group_parse
++@c    group->parser (from argp->parser)
++@c  parser_parse_next
++@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
++@c   parser_parse_arg
++@c    group_parse
++@c   parser_parse_opt
++@c    group_parse
++@c    argp_error
++@c    dgettext (bad key error)
++@c  parser_finalize
++@c   group_parse
++@c   fprintf
++@c   dgettext
++@c   arg_state_help
++@c   free
+ The @code{argp_parse} function parses the arguments in @var{argv}, of
+ length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
+ Parsers}.  Passing a null pointer for @var{argp} is the same as using
+@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_usage (const struct argp_state *@var{state})
++@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
++@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
+ Outputs the standard usage message for the argp parser referred to by
+ @var{state} to @code{@var{state}->err_stream} and terminate the program
+ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
+@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
++@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
++@c Lock stream, vasprintf the formatted message into a buffer, print the
++@c buffer prefixed by the short program name (in libc,
++@c argp_short_program_name is a macro that expands to
++@c program_invocation_short_name), releases the buffer, then call
++@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
++@c stream at the end.
+ Prints the printf format string @var{fmt} and following args, preceded
+ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
+ --help}} message, and terminates the program with an exit status of
+@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
++@c Lock stream, write out the short program name, vasprintf the optional
++@c formatted message to a buffer, print the buffer prefixed by colon and
++@c blank, release the buffer, call strerror_r with an automatic buffer,
++@c print it out after colon and blank, put[w]c a line break, unlock the
++@c stream, then exit unless ARGP_NO_EXIT.
+ Similar to the standard gnu error-reporting function @code{error}, this
+ prints the program name and @samp{:}, the printf format string
+ @var{fmt}, and the appropriate following args.  If it is non-zero, the
+@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
++@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
++@c Just calls _help with the short program name and optionally exit.
++@c The main problems in _help, besides the usual issues with stream I/O
++@c and translation, are the use of a static buffer (uparams) that makes
++@c the whole thing thread-unsafe, reading from the environment for
++@c ARGP_HELP_FMT, accessing the locale object multiple times.
++
++@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c  dgettext asi18n
++@c  flockfile lockleak
++@c  funlockfile lockleak
++@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
++@c   argp_failure dup (status = errnum = 0)
++@c   atoi dup
++@c  argp_hol asmalloc, memleak
++@c   make_hol asmalloc, memleak
++@c   hol_add_cluster asmalloc, memleak
++@c   hol_append asmalloc, memleak
++@c  hol_set_group ok
++@c   hol_find_entry ok
++@c  hol_sort glocale, asmalloc, memleak
++@c   qsort asmalloc, memleak
++@c    hol_entry_qcmp glocale
++@c     hol_entry_cmp glocale
++@c      group_cmp ok
++@c      hol_cluster_cmp ok
++@c       group_cmp ok
++@c      hol_entry_first_short glocale
++@c       hol_entry_short_iterate [glocale]
++@c        until_short ok
++@c         oshort ok
++@c          isprint ok
++@c      odoc ok
++@c      hol_entry_first_long ok
++@c      canon_doc_option glocale
++@c      tolower dup
++@c  hol_usage glocale, asi18n, asmalloc, memleak
++@c   hol_entry_short_iterate ok
++@c    add_argless_short_opt ok
++@c   argp_fmtstream_printf dup
++@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
++@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
++@c     dgettext dup
++@c     argp_fmtstream_printf dup
++@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
++@c    usage_long_opt glocale, asi18n, asmalloc, memleak
++@c     dgettext dup
++@c     argp_fmtstream_printf dup
++@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c    argp_fmtstream_set_lmargin dup
++@c    argp_fmtstream_wmargin dup
++@c    argp_fmtstream_set_wmargin dup
++@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c     argp_fmtstream_putc dup
++@c     hol_cluster_is_child ok
++@c     argp_fmtstream_wmargin dup
++@c     print_header dup
++@c     argp_fmtstream_set_wmargin dup
++@c     argp_fmtstream_puts dup
++@c     indent_to dup
++@c    argp_fmtstream_putc dup
++@c    arg glocale, asmalloc, memleak
++@c     argp_fmtstream_printf dup
++@c    odoc dup
++@c    argp_fmtstream_puts dup
++@c    argp_fmtstream_printf dup
++@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c     dgettext dup
++@c     filter_doc dup
++@c     argp_fmtstream_putc dup
++@c     indent_to dup
++@c     argp_fmtstream_set_lmargin dup
++@c     argp_fmtstream_set_wmargin dup
++@c     argp_fmtstream_puts dup
++@c     free dup
++@c    filter_doc dup
++@c    argp_fmtstream_point dup
++@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c     argp_fmtstream_point dup
++@c     argp_fmtstream_putc dup
++@c   dgettext dup
++@c   filter_doc dup
++@c   argp_fmtstream_putc dup
++@c   argp_fmtstream_puts dup
++@c   free dup
++@c  hol_free asmalloc, memleak
++@c   free dup
++@c  argp_args_levels ok
++@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
++@c   dgettext dup
++@c   filter_doc ok
++@c    argp_input ok
++@c    argp->help_filter
++@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c    argp_fmtstream_point dup
++@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
++@c     argp_fmtstream_update dup
++@c    argp_fmtstream_putc dup
++@c   argp_fmtstream_write dup
++@c   free dup
++@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
++@c   dgettext asi18n
++@c   strndup asmalloc, memleak
++@c   argp_input dup
++@c   argp->help_filter
++@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c    argp_fmtstream_ensure dup
++@c   argp_fmtstream_write dup
++@c   argp_fmtstream_puts dup
++@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
++@c    argp_fmtstream_update dup
++@c   argp_fmtstream_lmargin dup
++@c   free dup
++@c  argp_make_fmtstream asmalloc, memleak
++@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
++@c    put[w]c_unlocked dup
++@c    isblank in loop glocale
++@c    fxprintf lockleak
++@c   fxprintf lockleak
++@c   free dup
++@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
++@c   argp_fmtstream_update dup
++@c  argp_fmtstream_printf glocale, asmalloc, memleak
++@c   argp_fmtstream_ensure dup
++@c   vsnprintf dup
++@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
++@c   argp_fmtstream_update dup
++@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
++@c     argp_fmtstream_update dup
++@c     fxprintf lockleak
++@c     realloc asmalloc, memleak
+ Outputs a help message for the argp parser referred to by @var{state},
+ to @var{stream}.  The @var{flags} argument determines what sort of help
+ message is produced.  @xref{Argp Help Flags}.
+@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
+ @comment argp.h
+ @comment GNU
+ @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
++@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
++@c Just calls _help.  
+ This outputs a help message for the argp parser @var{argp} to
+ @var{stream}.  The type of messages printed will be determined by
+ @var{flags}.
+diff --git a/manual/arith.texi b/manual/arith.texi
+index 833e0c9..5c3aa9d 100644
+--- a/manual/arith.texi
++++ b/manual/arith.texi
+@@ -323,6 +323,7 @@ floating-point number a variable holds.
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is a generic macro which works on all floating-point types and
+ which returns a value of type @code{int}.  The possible values are:
+ 
+@@ -359,6 +360,7 @@ You should therefore use the specific macros whenever possible.
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is finite: not plus or
+ minus infinity, and not NaN.  It is equivalent to
+ 
+@@ -373,6 +375,7 @@ floating-point type.
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is finite and normalized.
+ It is equivalent to
+ 
+@@ -384,6 +387,7 @@ It is equivalent to
+ @comment math.h
+ @comment ISO
+ @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
+ to
+ 
+@@ -395,6 +399,7 @@ to
+ @comment math.h
+ @comment GNU
+ @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value if @var{x} is a signaling NaN
+ (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
+ extension.
+@@ -2443,6 +2448,32 @@ as well.
+ @safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+ @c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+ @c mpn, but it's all safe.
++@c
++@c round_and_return
++@c   get_rounding_mode ok
++@c   mpn_add_1 ok
++@c   mpn_rshift ok
++@c   MPN_ZERO ok
++@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
++@c str_to_mpn
++@c   mpn_mul_1 -> umul_ppmm ok
++@c   mpn_add_1 ok
++@c mpn_lshift_1 -> mpn_lshift ok
++@c STRTOF_INTERNAL
++@c   MPN_VAR ok
++@c   SET_MANTISSA ok
++@c   STRNCASECMP ok, wide and narrow
++@c   round_and_return ok
++@c   mpn_mul ok
++@c     mpn_addmul_1 ok
++@c     ... mpn_sub
++@c   mpn_lshift ok
++@c   udiv_qrnnd ok
++@c   count_leading_zeros ok
++@c   add_ssaaaa ok
++@c   sub_ddmmss ok
++@c   umul_ppmm ok
++@c   mpn_submul_1 ok
+ The @code{strtod} (``string-to-double'') function converts the initial
+ part of @var{string} to a floating-point number, which is returned as a
+ value of type @code{double}.
+diff --git a/manual/charset.texi b/manual/charset.texi
+index e21502e..7e6c416 100644
+--- a/manual/charset.texi
++++ b/manual/charset.texi
+@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int mbsinit (const mbstate_t *@var{ps})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c ps is dereferenced once, unguarded.  Potential harmless data race.
+ The @code{mbsinit} function determines whether the state object pointed
+ to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
+ the object is in the initial state the return value is nonzero.  Otherwise
+@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun wint_t btowc (int @var{c})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c Calls btowc_fct or __fct; reads from locale, and from the
++@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
++@c __wcsmbs_load_conv to initialize the ctype if it's null.
++@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
++@c memory for the fcts structure, initializing it, and then storing it
++@c in the locale object.  The initialization involves dlopening and a
++@c lot more.
+ The @code{btowc} function (``byte to wide character'') converts a valid
+ single byte character @var{c} in the initial shift state into the wide
+ character equivalent using the conversion rules from the currently
+@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun int wctob (wint_t @var{c})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wctob} function (``wide character to byte'') takes as the
+ parameter a valid wide character.  If the multibyte representation for
+ this character in the initial state is exactly one byte long, the return
+@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ @cindex stateful
+ The @code{mbrtowc} function (``multibyte restartable to wide
+ character'') converts the next multibyte character in the string pointed
+@@ -728,6 +740,7 @@ function that does part of the work.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mbrlen} function (``multibyte restartable length'') computes
+ the number of at most @var{n} bytes starting at @var{s}, which form the
+ next valid and complete multibyte character.
+@@ -811,6 +824,50 @@ doing the work twice.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c wcrtomb uses a static, non-thread-local unguarded state variable when
++@c PS is NULL.  When a state is passed in, and it's not used
++@c concurrently in other threads, this function behaves safely as long
++@c as gconv modules don't bring MT safety issues of their own.
++@c Attempting to load gconv modules or to build conversion chains in
++@c signal handlers may encounter gconv databases or caches in a
++@c partially-updated state, and asynchronous cancellation may leave them
++@c in such states, besides leaking the lock that guards them.
++@c get_gconv_fcts ok
++@c    wcsmbs_load_conv ok
++@c      norm_add_slashes ok
++@c      wcsmbs_getfct ok
++@c        gconv_find_transform ok
++@c          gconv_read_conf (libc_once)
++@c          gconv_lookup_cache ok
++@c            find_module_idx ok
++@c            find_module ok
++@c              gconv_find_shlib (ok)
++@c              ->init_fct (assumed ok)
++@c            gconv_get_builtin_trans ok
++@c            gconv_release_step ok
++@c          do_lookup_alias ok
++@c          find_derivation ok
++@c            derivation_lookup ok
++@c            increment_counter ok
++@c              gconv_find_shlib ok
++@c              step->init_fct (assumed ok)
++@c            gen_steps ok
++@c              gconv_find_shlib ok
++@c                dlopen (presumed ok)
++@c                dlsym (presumed ok)
++@c              step->init_fct (assumed ok)
++@c              step->end_fct (assumed ok)
++@c              gconv_get_builtin_trans ok
++@c              gconv_release_step ok
++@c            add_derivation ok
++@c      gconv_close_transform ok
++@c        gconv_release_step ok
++@c          step->end_fct (assumed ok)
++@c          gconv_release_shlib ok
++@c            dlclose (presumed ok)
++@c        gconv_release_cache ok
++@c  ->tomb->__fct (assumed ok)
+ The @code{wcrtomb} function (``wide character restartable to
+ multibyte'') converts a single wide character into a multibyte string
+ corresponding to that wide character.
+@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mbsrtowcs} function (``multibyte string restartable to wide
+ character string'') converts an NUL-terminated multibyte character
+ string at @code{*@var{src}} into an equivalent wide character string,
+@@ -1039,6 +1097,7 @@ length and passing this length to the function.
+ @comment wchar.h
+ @comment ISO
+ @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wcsrtombs} function (``wide character string restartable to
+ multibyte string'') converts the NUL-terminated wide character string at
+ @code{*@var{src}} into an equivalent multibyte character string and
+@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
+ @comment wchar.h
+ @comment GNU
+ @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
+ function.  All the parameters are the same except for @var{nmc}, which is
+ new.  The return value is the same as for @code{mbsrtowcs}.
+@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
+ @comment wchar.h
+ @comment GNU
+ @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
++@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wcsnrtombs} function implements the conversion from wide
+ character strings to multibyte character strings.  It is similar to
+ @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
+@@ -1280,6 +1341,7 @@ conversion functions.}
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mbtowc} (``multibyte to wide character'') function when called
+ with non-null @var{string} converts the first multibyte character
+ beginning at @var{string} to its corresponding wide character code.  It
+@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wctomb} (``wide character to multibyte'') function converts
+ the wide character code @var{wchar} to its corresponding multibyte
+ character sequence, and stores the result in bytes starting at
+@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun int mblen (const char *@var{string}, size_t @var{size})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{mblen} function with a non-null @var{string} argument returns
+ the number of bytes that make up the multibyte character beginning at
+ @var{string}, never examining more than @var{size} bytes.  (The idea is
+@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c Odd...  Although this is in the non-reentrant section, the state
++@c object is automatic, not a static buffer.
+ The @code{mbstowcs} (``multibyte string to wide character string'')
+ function converts the null-terminated string of multibyte characters
+ @var{string} to an array of wide character codes, storing not more than
+@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+ The @code{wcstombs} (``wide character string to multibyte string'')
+ function converts the null-terminated wide character array @var{wstring}
+ into a string containing multibyte characters, storing not more than
+@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
+ @comment iconv.h
+ @comment XPG2
+ @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
++@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
++@c strip and upstr on both, then gconv_open.  strip and upstr call
++@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
++@c tokenize toset, replace unspecified codesets with the current locale
++@c (posibly two different accesses), and finally it calls
++@c gconv_find_transform and initializes the gconv_t result with all the
++@c steps in the conversion sequence, running each one's initializer,
++@c destructing and releasing them all if anything fails.
++
+ The @code{iconv_open} function has to be used before starting a
+ conversion.  The two parameters this function takes determine the
+ source and destination character set for the conversion, and if the
+@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
+ @comment iconv.h
+ @comment XPG2
+ @deftypefun int iconv_close (iconv_t @var{cd})
++@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
++@c Calls gconv_close to destruct and release each of the conversion
++@c steps, release the gconv_t object, then call gconv_close_transform.
++@c Access to the gconv_t object is not guarded, but calling iconv_close
++@c concurrently with any other use is undefined.
++
+ The @code{iconv_close} function frees all resources associated with the
+ handle @var{cd}, which must have been returned by a successful call to
+ the @code{iconv_open} function.
+@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
+ @comment iconv.h
+ @comment XPG2
+ @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
++@c Without guarding access to the gconv_t object pointed to by cd, call
++@c the conversion function to convert inbuf or flush the internal
++@c conversion state.
+ @cindex stateful
+ The @code{iconv} function converts the text in the input buffer
+ according to the rules associated with the descriptor @var{cd} and
+diff --git a/manual/conf.texi b/manual/conf.texi
+index 7eb8b36..edbb2fd 100644
+--- a/manual/conf.texi
++++ b/manual/conf.texi
+@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {long int} sysconf (int @var{parameter})
++@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
++@c Some parts of the implementation open /proc and /sys files and dirs
++@c to collect system details, using fd and stream I/O depending on the
++@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
++@c calls tzset_internal, that calls getenv if it's called the first
++@c time; there are free and strdup calls in there too.  The returned max
++@c value may change over time for TZNAME_MAX, depending on selected
++@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
++@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
++@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
++@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
+ This function is used to inquire about runtime system parameters.  The
+ @var{parameter} argument should be one of the @samp{_SC_} symbols listed
+ below.
+@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
++@c When __statfs_link_max finds an ext* filesystem, it may read
++@c /proc/mounts or similar as a mntent stream.
++@c __statfs_chown_restricted may read from
++@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
+ This function is used to inquire about the limits that apply to
+ the file named @var{filename}.
+ 
+@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
++@c Same caveats as pathconf.
+ This is just like @code{pathconf} except that an open file descriptor
+ is used to specify the file for which information is requested, instead
+ of a file name.
+@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
+ @comment unistd.h
+ @comment POSIX.2
+ @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function reads the value of a string-valued system parameter,
+ storing the string into @var{len} bytes of memory space starting at
+ @var{buf}.  The @var{parameter} argument should be one of the
+diff --git a/manual/crypt.texi b/manual/crypt.texi
+index ef90590..5c9f6f7 100644
+--- a/manual/crypt.texi
++++ b/manual/crypt.texi
+@@ -92,7 +92,13 @@ in a convenient way.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun {char *} getpass (const char *@var{prompt})
+-
++@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
++@c This function will attempt to create a stream for terminal I/O, but
++@c will fallback to stdio/stderr.  It attempts to change the terminal
++@c mode in a thread-unsafe way, write out the prompt, read the password,
++@c then restore the terminal mode.  It has a cleanup to close the stream
++@c in case of (synchronous) cancellation, but not to restore the
++@c terminal mode.
+ @code{getpass} outputs @var{prompt}, then reads a string in from the
+ terminal without echoing it.  It tries to connect to the real terminal,
+ @file{/dev/tty}, if possible, to encourage users not to put plaintext
+@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
+ @comment crypt.h
+ @comment BSD, SVID
+ @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
++@c Besides the obvious problem of returning a pointer into static
++@c storage, the DES initializer takes an internal lock with the usual
++@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
++@c NSS implementations of may leak file descriptors if canceled.  The
++@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
++@c and NSS relies on dlopening, which brings about another can of worms.
+ 
+ The @code{crypt} function takes a password, @var{key}, as a string, and
+ a @var{salt} character array which is described below, and returns a
+@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
+ @comment crypt.h
+ @comment GNU
+ @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
++@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
++@c Compared with crypt, this function fixes the staticbuf problem, but
++@c nothing else.
+ 
+ The @code{crypt_r} function does the same thing as @code{crypt}, but
+ takes an extra parameter which includes space for its result (among
+@@ -233,6 +249,11 @@ specifies the unused bits.
+ @comment crypt.h
+ @comment BSD, SVID
+ @deftypefun void setkey (const char *@var{key})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
++@c The static buffer stores the key, making it fundamentally
++@c thread-unsafe.  The locking issues are only in the initialization
++@c path; cancelling the initialization will leave the lock held, it
++@c would otherwise repeat the initialization on the next call.
+ 
+ The @code{setkey} function sets an internal data structure to be an
+ expanded form of @var{key}.  @var{key} is specified as an array of 64
+@@ -244,6 +265,8 @@ parity.
+ @comment crypt.h
+ @comment BSD, SVID
+ @deftypefun void encrypt (char *@var{block}, int @var{edflag})
++@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
++@c Same issues as setkey.
+ 
+ The @code{encrypt} function encrypts @var{block} if
+ @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
+@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
+ @comment crypt.h
+ @comment GNU
+ @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
++@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+ @comment crypt.h
+ @comment GNU
+ @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
++@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+ 
+ These are reentrant versions of @code{setkey} and @code{encrypt}.  The
+ only difference is the extra parameter, which stores the expanded
+@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
+ @comment rpc/des_crypt.h
+ @comment SUNRPC
+ @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The function @code{ecb_crypt} encrypts or decrypts one or more blocks
+ using DES.  Each block is encrypted independently.
+@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
+ @comment rpc/des_crypt.h
+ @comment SUNRPC
+ @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The function @code{cbc_crypt} encrypts or decrypts one or more blocks
+ using DES in Cipher Block Chaining mode.
+@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
+ @comment rpc/des_crypt.h
+ @comment SUNRPC
+ @deftypefun void des_setparity (char *@var{key})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The function @code{des_setparity} changes the 64-bit @var{key}, stored
+ packed in 8-bit bytes, to have odd parity by altering the low bits of
+diff --git a/manual/ctype.texi b/manual/ctype.texi
+index f05d509..ddf38ce 100644
+--- a/manual/ctype.texi
++++ b/manual/ctype.texi
+@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int islower (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The is* macros call __ctype_b_loc to get the ctype array from the
++@c current locale, and then index it by c.  __ctype_b_loc reads from
++@c thread-local memory the (indirect) pointer to the ctype array, which
++@c may involve one word access to the global locale object, if that's
++@c the active locale for the thread, and the array, being part of the
++@c locale data, is undeletable, so there's no thread-safety issue.
+ Returns true if @var{c} is a lower-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ @end deftypefun
+@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isupper (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is an upper-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ @end deftypefun
+@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isalpha (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is an alphabetic character (a letter).  If
+ @code{islower} or @code{isupper} is true of a character, then
+ @code{isalpha} is also true.
+@@ -97,6 +106,7 @@ additional characters.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isdigit (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
+ @end deftypefun
+ 
+@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isalnum (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is an alphanumeric character (a letter or
+ number); in other words, if either @code{isalpha} or @code{isdigit} is
+ true of a character, then @code{isalnum} is also true.
+@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isxdigit (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a hexadecimal digit.
+ Hexadecimal digits include the normal decimal digits @samp{0} through
+ @samp{9} and the letters @samp{A} through @samp{F} and
+@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int ispunct (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a punctuation character.
+ This means any printing character that is not alphanumeric or a space
+ character.
+@@ -132,6 +145,7 @@ character.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isspace (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
+ @code{"C"} locale, @code{isspace} returns true for only the standard
+ whitespace characters:
+@@ -161,6 +175,7 @@ vertical tab
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isblank (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a blank character; that is, a space or a tab.
+ This function was originally a GNU extension, but was added in @w{ISO C99}.
+ @end deftypefun
+@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isgraph (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a graphic character; that is, a character
+ that has a glyph associated with it.  The whitespace characters are not
+ considered graphic.
+@@ -178,6 +194,7 @@ considered graphic.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int isprint (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a printing character.  Printing characters
+ include all the graphic characters, plus the space (@samp{ }) character.
+ @end deftypefun
+@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int iscntrl (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a control character (that is, a character that
+ is not a printing character).
+ @end deftypefun
+@@ -194,6 +212,7 @@ is not a printing character).
+ @comment ctype.h
+ @comment SVID, BSD
+ @deftypefun int isascii (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
+ into the US/UK ASCII character set.  This function is a BSD extension
+ and is also an SVID extension.
+@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int tolower (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The to* macros/functions call different functions that use different
++@c arrays than those of__ctype_b_loc, but the access patterns and
++@c thus safety guarantees are the same.
+ If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
+ lower-case letter.  If @var{c} is not an upper-case letter,
+ @var{c} is returned unchanged.
+@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int toupper (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
+ upper-case letter.  Otherwise @var{c} is returned unchanged.
+ @end deftypefun
+@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
+ @comment ctype.h
+ @comment SVID, BSD
+ @deftypefun int toascii (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function converts @var{c} to a 7-bit @code{unsigned char} value
+ that fits into the US/UK ASCII character set, by clearing the high-order
+ bits.  This function is a BSD extension and is also an SVID extension.
+@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
+ @comment ctype.h
+ @comment SVID
+ @deftypefun int _tolower (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is identical to @code{tolower}, and is provided for compatibility
+ with the SVID.  @xref{SVID}.@refill
+ @end deftypefun
+@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
+ @comment ctype.h
+ @comment SVID
+ @deftypefun int _toupper (int @var{c})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is identical to @code{toupper}, and is provided for compatibility
+ with the SVID.
+ @end deftypefun
+@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wctype_t wctype (const char *@var{property})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Although the source code of wctype contains multiple references to
++@c the locale, that could each reference different locale_data objects
++@c should the global locale object change while active, the compiler can
++@c and does combine them all into a single dereference that resolves
++@c once to the LCTYPE locale object used throughout the function, so it
++@c is safe in practice, if not in theory.  Ideally we'd explicitly save
++@c the resolved locale_data object to make it visibly safe instead of
++@c safe only under compiler optimizations.
+ The @code{wctype} returns a value representing a class of wide
+ characters which is identified by the string @var{property}.  Beside
+ some standard properties each locale can define its own ones.  In case
+@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The compressed lookup table returned by wctype is read-only.
+ This function returns a nonzero value if @var{wc} is in the character
+ class specified by @var{desc}.  @var{desc} must previously be returned
+ by a successful call to @code{wctype}.
+@@ -350,6 +388,15 @@ standard classes.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswalnum (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c The implicit wctype call in the isw* functions is actually an
++@c optimized version because the category has a known offset, but the
++@c wctype is equally safe when optimized, unsafe if not optimized.
++@c Since it's not a macro, and we always optimize, it's fine.  The test
++@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
++@c bring any other safety issues: the test does not depend on the
++@c locale, and each path after the decision resolves the locale object
++@c only once.
+ This function returns a nonzero value if @var{wc} is an alphanumeric
+ character (a letter or number); in other words, if either @code{iswalpha}
+ or @code{iswdigit} is true of a character, then @code{iswalnum} is also
+@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswalpha (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is an alphabetic character (a letter).  If
+ @code{iswlower} or @code{iswupper} is true of a character, then
+ @code{iswalpha} is also true.
+@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswcntrl (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a control character (that is, a character that
+ is not a printing character).
+ 
+@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswdigit (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
+ Please note that this function does not only return a nonzero value for
+ @emph{decimal} digits, but for all kinds of digits.  A consequence is
+@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswgraph (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a graphic character; that is, a character
+ that has a glyph associated with it.  The whitespace characters are not
+ considered graphic.
+@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
+ @comment ctype.h
+ @comment ISO
+ @deftypefun int iswlower (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a lower-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ 
+@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswprint (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a printing character.  Printing characters
+ include all the graphic characters, plus the space (@samp{ }) character.
+ 
+@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswpunct (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a punctuation character.
+ This means any printing character that is not alphanumeric or a space
+ character.
+@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswspace (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
+ @code{"C"} locale, @code{iswspace} returns true for only the standard
+ whitespace characters:
+@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswupper (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is an upper-case letter.  The letter need not be
+ from the Latin alphabet, any alphabet representable is valid.
+ 
+@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswxdigit (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a hexadecimal digit.
+ Hexadecimal digits include the normal decimal digits @samp{0} through
+ @samp{9} and the letters @samp{A} through @samp{F} and
+@@ -597,6 +654,7 @@ characters as well.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun int iswblank (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ Returns true if @var{wc} is a blank character; that is, a space or a tab.
+ This function was originally a GNU extension, but was added in @w{ISO C99}.
+ It is declared in @file{wchar.h}.
+@@ -691,7 +749,8 @@ This type is defined in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wctrans_t wctrans (const char *@var{property})
+-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Similar implementation, same caveats as wctype.
+ The @code{wctrans} function has to be used to find out whether a named
+ mapping is defined in the current locale selected for the
+ @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
+@@ -714,7 +773,8 @@ These functions are declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Same caveats as iswctype.
+ @code{towctrans} maps the input character @var{wc}
+ according to the rules of the mapping for which @var{desc} is a
+ descriptor, and returns the value it finds.  @var{desc} must be
+@@ -732,6 +792,9 @@ for them.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towlower (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
++@c Same caveats as iswalnum, just using a wctrans rather than a wctype
++@c table.
+ If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
+ lower-case letter.  If @var{wc} is not an upper-case letter,
+ @var{wc} is returned unchanged.
+@@ -751,6 +814,7 @@ This function is declared in @file{wctype.h}.
+ @comment wctype.h
+ @comment ISO
+ @deftypefun wint_t towupper (wint_t @var{wc})
++@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+ If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
+ upper-case letter.  Otherwise @var{wc} is returned unchanged.
+ 
+diff --git a/manual/debug.texi b/manual/debug.texi
+index 1db9c18..ce0c263 100644
+--- a/manual/debug.texi
++++ b/manual/debug.texi
+@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
+ @comment execinfo.h
+ @comment GNU
+ @deftypefun int backtrace (void **@var{buffer}, int @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Pointer chasing within the local stack.
+ The @code{backtrace} function obtains a backtrace for the current
+ thread, as a list of pointers, and places the information into
+ @var{buffer}.  The argument @var{size} should be the number of
+@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
+ @comment execinfo.h
+ @comment GNU
+ @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
++@c Collects info returned by _dl_addr in auto array, allocates memory
++@c for the whole return buffer with malloc then sprintfs into it storing
++@c pointers to the strings into the array entries in the buffer.
++@c _dl_addr takes the recursive dl_load_lock then calls
++@c _dl_find_dso_for_object and determine_info.
++@c _dl_find_dso_for_object calls _dl-addr_inside_object.
++@c All of them are safe as long as the lock is held.
++@c asynconsist?  It doesn't looke like the dynamic loader's data
++@c structures could be in an inconsistent state that would cause
++@c malfunction here.
+ The @code{backtrace_symbols} function translates the information
+ obtained from the @code{backtrace} function into an array of strings.
+ The argument @var{buffer} should be a pointer to an array of addresses
+@@ -88,6 +101,11 @@ cannot be obtained.
+ @comment execinfo.h
+ @comment GNU
+ @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
++@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
++@c Single loop of _dl_addr over addresses, collecting info into an iovec
++@c written out with a writev call per iteration.  Addresses and offsets
++@c are converted to hex in auto buffers, so the only potential issue
++@c here is leaking the dl lock in case of cancellation.
+ The @code{backtrace_symbols_fd} function performs the same translation
+ as the function @code{backtrace_symbols} function.  Instead of returning
+ the strings to the caller, it writes the strings to the file descriptor
+diff --git a/manual/errno.texi b/manual/errno.texi
+index 6c9fa86..eb3f412 100644
+--- a/manual/errno.texi
++++ b/manual/errno.texi
+@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
+ @comment string.h
+ @comment ISO
+ @deftypefun {char *} strerror (int @var{errnum})
++@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
++@c Calls strerror_r with a static buffer allocated with malloc on the
++@c first use.
+ The @code{strerror} function maps the error code (@pxref{Checking for
+ Errors}) specified by the @var{errnum} argument to a descriptive error
+ message string.  The return value is a pointer to this string.
+@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
+ @comment string.h
+ @comment GNU
+ @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
++@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
+ The @code{strerror_r} function works like @code{strerror} but instead of
+ returning the error message in a statically allocated buffer shared by
+ all threads in the process, it returns a private copy for the
+@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
+ @comment stdio.h
+ @comment ISO
+ @deftypefun void perror (const char *@var{message})
++@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
++@c Besides strerror_r's and some of fprintf's issues, if stderr is not
++@c oriented yet, create a new stream with a dup of stderr's fd and write
++@c to that instead of stderr, to avoid orienting it.
+ This function prints an error message to the stream @code{stderr};
+ see @ref{Standard Streams}.  The orientation of @code{stderr} is not
+ changed.
+@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
+ @comment error.h
+ @comment GNU
+ @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
++@c Cancellation is disabled throught the execution.  It flushes stdout
++@c and then holds a lock on stderr while printing the program name and
++@c then running error_tail.  The non-wide case just runs vfprintf; the
++@c wide case converts the message to an alloca/malloc-allocated buffer
++@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
++@c print_errno_message calls strerror_r and fxprintf.
+ The @code{error} function can be used to report general problems during
+ program execution.  The @var{format} argument is a format string just
+ like those given to the @code{printf} family of functions.  The
+@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
+ @comment error.h
+ @comment GNU
+ @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
++@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
++@c The error_one_per_line variable is accessed (without any form of
++@c synchronization, but since it's an int used once, it should be safe
++@c enough) and, if this mode is enabled, static variables used to hold
++@c the last printed file name and line number are accessed and modified
++@c without synchronization; the update is not atomic and it occurs
++@c before disabling cancellation, so it can be interrupted after only
++@c one of the two variables is modified.  After that, it's very much
++@c like error.
+ 
+ The @code{error_at_line} function is very similar to the @code{error}
+ function.  The only difference are the additional parameters @var{fname}
+@@ -1582,6 +1606,8 @@ are included only for compatibility.
+ @comment err.h
+ @comment BSD
+ @deftypefun void warn (const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
++@c Just calls vwarn with the va_list.
+ The @code{warn} function is roughly equivalent to a call like
+ @smallexample
+   error (0, errno, format, @r{the parameters})
+@@ -1594,6 +1620,11 @@ are not used.
+ @comment err.h
+ @comment BSD
+ @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
++@c While holding stderr's recursive lock, it prints the programname, the
++@c given message, and the error string with fw?printf's %m.  When the
++@c stream is wide, convert_and_print converts the format string to an
++@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
+ The @code{vwarn} function is just like @code{warn} except that the
+ parameters for the handling of the format string @var{format} are passed
+ in as an value of type @code{va_list}.
+@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
+ @comment err.h
+ @comment BSD
+ @deftypefun void warnx (const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
++@c Same as warn, but without the strerror translation issues.
+ The @code{warnx} function is roughly equivalent to a call like
+ @smallexample
+   error (0, 0, format, @r{the parameters})
+@@ -1615,6 +1648,8 @@ string is printed.
+ @comment err.h
+ @comment BSD
+ @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
++@c Same as vwarn, but without the strerror translation issues.
+ The @code{vwarnx} function is just like @code{warnx} except that the
+ parameters for the handling of the format string @var{format} are passed
+ in as an value of type @code{va_list}.
+@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
+ @comment err.h
+ @comment BSD
+ @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
++@c Same as warn followed by exit.
+ The @code{err} function is roughly equivalent to a call like
+ @smallexample
+   error (status, errno, format, @r{the parameters})
+@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
+ @comment err.h
+ @comment BSD
+ @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
++@c Same as vwarn followed by exit.
+ The @code{verr} function is just like @code{err} except that the
+ parameters for the handling of the format string @var{format} are passed
+ in as an value of type @code{va_list}.
+@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
+ @comment err.h
+ @comment BSD
+ @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
++@c Same as warnx followed by exit.
+ The @code{errx} function is roughly equivalent to a call like
+ @smallexample
+   error (status, 0, format, @r{the parameters})
+@@ -1657,6 +1698,8 @@ string is printed.
+ @comment err.h
+ @comment BSD
+ @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
++@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
++@c Same as vwarnx followed by exit.
+ The @code{verrx} function is just like @code{errx} except that the
+ parameters for the handling of the format string @var{format} are passed
+ in as an value of type @code{va_list}.
+diff --git a/manual/filesys.texi b/manual/filesys.texi
+index 1df9cf2..2244025 100644
+--- a/manual/filesys.texi
++++ b/manual/filesys.texi
+@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c If buffer is NULL, this function calls malloc and realloc, and, in
++@c case of error, free.  Linux offers a getcwd syscall that we use on
++@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
++@c fallback, and on other systems, the generic implementation opens each
++@c parent directory with opendir, which allocates memory for the
++@c directory stream with malloc.  If a fstatat64 syscall is not
++@c available, very deep directory trees may also have to malloc to build
++@c longer sequences of ../../../... than those supported by a global
++@c const read-only string.
++
++@c linux/__getcwd
++@c  posix/__getcwd
++@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
++@c   lstat64 -> see its own entry
++@c   fstatat64
++@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
++@c   openat64_not_cancel_3, close_not_cancel_no_status
++@c   __fdopendir, __opendir, __readdir, rewinddir
+ The @code{getcwd} function returns an absolute file name representing
+ the current working directory, storing it in the character array
+ @var{buffer} that you provide.  The @var{size} argument is how you tell
+@@ -116,6 +135,9 @@ software.
+ @comment unistd.h
+ @comment BSD
+ @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
++@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
++@c Besides the getcwd safety issues, it calls strerror_r on error, which
++@c brings in all of the i18n issues.
+ This is similar to @code{getcwd}, but has no way to specify the size of
+ the buffer.  @Theglibc{} provides @code{getwd} only
+ for backwards compatibility with BSD.
+@@ -130,6 +152,9 @@ this function is deprecated.
+ @comment unistd.h
+ @comment GNU
+ @deftypefun {char *} get_current_dir_name (void)
++@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Besides getcwd, which this function calls as a fallback, it calls
++@c getenv, with the usual thread-safety issues that brings about.
+ @vindex PWD
+ This @code{get_current_dir_name} function is basically equivalent to
+ @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
+@@ -145,6 +170,7 @@ This function is a GNU extension.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int chdir (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is used to set the process's working directory to
+ @var{filename}.
+ 
+@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
+ @comment unistd.h
+ @comment XPG
+ @deftypefun int fchdir (int @var{filedes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is used to set the process's working directory to
+ directory associated with the file descriptor @var{filedes}.
+ 
+@@ -294,12 +321,14 @@ values and @code{st_mode} values:
+ @comment dirent.h
+ @comment BSD
+ @deftypefun int IFTODT (mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This returns the @code{d_type} value corresponding to @var{mode}.
+ @end deftypefun
+ 
+ @comment dirent.h
+ @comment BSD
+ @deftypefun mode_t DTTOIF (int @var{dtype})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This returns the @code{st_mode} value corresponding to @var{dtype}.
+ @end deftypefun
+ @end table
+@@ -342,6 +371,9 @@ the following functions.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun {DIR *} opendir (const char *@var{dirname})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Besides the safe syscall, we have to allocate the DIR object with
++@c __alloc_dir, that calls malloc.
+ The @code{opendir} function opens and returns a directory stream for
+ reading the directory whose file name is @var{dirname}.  The stream has
+ type @code{DIR *}.
+@@ -381,6 +413,8 @@ alternative interface can be used.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun {DIR *} fdopendir (int @var{fd})
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c The DIR object is allocated with __alloc_dir, that calls malloc.
+ The @code{fdopendir} function works just like @code{opendir} but
+ instead of taking a file name and opening a file descriptor for the
+ directory the caller is required to provide a file descriptor.  This
+@@ -425,6 +459,7 @@ access.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int dirfd (DIR *@var{dirstream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The function @code{dirfd} returns the file descriptor associated with
+ the directory stream @var{dirstream}.  This descriptor can be used until
+ the directory is closed with @code{closedir}.  If the directory stream
+@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
++@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
++@c This function holds dirstream's non-recursive lock, which brings
++@c about the usual issues with locks and async signals and cancellation,
++@c but the lock taking is not enough to make the returned value safe to
++@c use, since it points to a stream's internal buffer that can be
++@c overwritten by subsequent calls or even released by closedir.
+ This function reads the next entry from the directory.  It normally
+ returns a pointer to a structure containing information about the file.
+ This structure is statically allocated and can be rewritten by a
+@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ This function is the reentrant version of @code{readdir}.  Like
+ @code{readdir} it returns the next entry from the directory.  But to
+ prevent conflicts between simultaneously running threads the result is
+@@ -516,6 +558,7 @@ of the last two functions.
+ @comment dirent.h
+ @comment LFS
+ @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
++@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{readdir64} function is just like the @code{readdir} function
+ except that it returns a pointer to a record of type @code{struct
+ dirent64}.  Some of the members of this data type (notably @code{d_ino})
+@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
+ @comment dirent.h
+ @comment LFS
+ @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{readdir64_r} function is equivalent to the @code{readdir_r}
+ function except that it takes parameters of base type @code{struct
+ dirent64} instead of @code{struct dirent} in the second and third
+@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun int closedir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
++@c No synchronization in the posix implementation, only in the hurd
++@c one.  This is regarded as safe because it is undefined behavior if
++@c other threads could still be using the dir stream while it's closed.
+ This function closes the directory stream @var{dirstream}.  It returns
+ @code{0} on success and @code{-1} on failure.
+ 
+@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
+ @comment dirent.h
+ @comment POSIX.1
+ @deftypefun void rewinddir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ The @code{rewinddir} function is used to reinitialize the directory
+ stream @var{dirstream}, so that if you call @code{readdir} it
+ returns information about the first entry in the directory again.  This
+@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
+ @comment dirent.h
+ @comment BSD
+ @deftypefun {long int} telldir (DIR *@var{dirstream})
++@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
++@c The implementation is safe on most platforms, but on BSD it uses
++@c cookies, buckets and records, and the global array of pointers to
++@c dynamically allocated records is guarded by a non-recursive lock.
+ The @code{telldir} function returns the file position of the directory
+ stream @var{dirstream}.  You can use this value with @code{seekdir} to
+ restore the directory stream to that position.
+@@ -597,6 +650,10 @@ restore the directory stream to that position.
+ @comment dirent.h
+ @comment BSD
+ @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
++@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
++@c The implementation is safe on most platforms, but on BSD it uses
++@c cookies, buckets and records, and the global array of pointers to
++@c dynamically allocated records is guarded by a non-recursive lock.
+ The @code{seekdir} function sets the file position of the directory
+ stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
+ result of a previous call to @code{telldir} on this particular stream;
+@@ -616,6 +673,19 @@ the result.
+ @comment dirent.h
+ @comment BSD/SVID
+ @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
++@c The scandir function calls __opendirat, __readdir, and __closedir to
++@c go over the named dir; malloc and realloc to allocate the namelist
++@c and copies of each selected dirent, besides the selector, if given,
++@c and qsort and the cmp functions if the latter is given.  In spite of
++@c the cleanup handler that releases memory and the file descriptor in
++@c case of synchronous cancellation, an asynchronous cancellation may
++@c still leak memory and a file descriptor.  Although readdir is unsafe
++@c in general, the use of an internal dir stream for sequential scanning
++@c of the directory with copying of dirents before subsequent calls
++@c makes the use safe, and the fact that the dir stream is private to
++@c each scandir call does away with the lock issues in readdir and
++@c closedir.
+ 
+ The @code{scandir} function scans the contents of the directory selected
+ by @var{dir}.  The result in *@var{namelist} is an array of pointers to
+@@ -646,6 +716,8 @@ are very helpful for this purpose.
+ @comment dirent.h
+ @comment BSD/SVID
+ @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c Calls strcoll.
+ The @code{alphasort} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+ are not string pointers but instead they are of type
+@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c Calls strverscmp.
+ The @code{versionsort} function is like @code{alphasort} except that it
+ uses the @code{strverscmp} function internally.
+ @end deftypefun
+@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
++@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
++@c See scandir.
+ The @code{scandir64} function works like the @code{scandir} function
+ except that the directory entries it returns are described by elements
+ of type @w{@code{struct dirent64}}.  The function pointed to by
+@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c See alphasort.
+ The @code{alphasort64} function behaves like the @code{strcoll} function
+ (@pxref{String/Array Comparison}).  The difference is that the arguments
+ are not string pointers but instead they are of type
+@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c See versionsort.
+ The @code{versionsort64} function is like @code{alphasort64}, excepted that it
+ uses the @code{strverscmp} function internally.
+ @end deftypefun
+@@ -880,6 +960,8 @@ file was passed).
+ @comment ftw.h
+ @comment SVID
+ @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
++@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
++@c see nftw for safety details
+ The @code{ftw} function calls the callback function given in the
+ parameter @var{func} for every item which is found in the directory
+ specified by @var{filename} and all directories below.  The function
+@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
+ @comment ftw.h
+ @comment Unix98
+ @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
++@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+ This function is similar to @code{ftw} but it can work on filesystems
+ with large files.  File information is reported using a variable of type
+ @code{struct stat64} which is passed by reference to the callback
+@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
+ @comment ftw.h
+ @comment XPG4.2
+ @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
++@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
++@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
++@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
++@c  if FTW_CHDIR, also calls fchdir
++@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
++@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
++@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
++@c  find_object (tsearch) and add_object (tfind).  
++@c Since each invocation of *ftw uses its own private search tree, none
++@c  of the search tree concurrency issues apply.
+ The @code{nftw} function works like the @code{ftw} functions.  They call
+ the callback function @var{func} for all items found in the directory
+ @var{filename} and below.  At most @var{descriptors} file descriptors
+@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
+ @comment ftw.h
+ @comment Unix98
+ @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
++@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+ This function is similar to @code{nftw} but it can work on filesystems
+ with large files.  File information is reported using a variable of type
+ @code{struct stat64} which is passed by reference to the callback
+@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{link} function makes a new link to the existing file named by
+ @var{oldname}, under the new name @var{newname}.
+ 
+@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{symlink} function makes a symbolic link to @var{oldname} named
+ @var{newname}.
+ 
+@@ -1190,6 +1287,7 @@ exceeded.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{readlink} function gets the value of the symbolic link
+ @var{filename}.  The file name that the link points to is copied into
+ @var{buffer}.  This file name string is @emph{not} null-terminated;
+@@ -1249,6 +1347,8 @@ names can refer to the same inode.
+ @comment stdlib.h
+ @comment GNU
+ @deftypefun {char *} canonicalize_file_name (const char *@var{name})
++@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Calls realpath.
+ 
+ The @code{canonicalize_file_name} function returns the absolute name of
+ the file named by @var{name} which contains no @code{.}, @code{..}
+@@ -1290,6 +1390,8 @@ where the result is placed in.
+ @comment stdlib.h
+ @comment XPG
+ @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
++@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
++@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
+ 
+ A call to @code{realpath} where the @var{resolved} parameter is
+ @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
+@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int unlink (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{unlink} function deletes the file name @var{filename}.  If
+ this is a file's sole name, the file itself is also deleted.  (Actually,
+ if any process has the file open when this happens, deletion is
+@@ -1371,6 +1474,7 @@ file system and can't be modified.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int rmdir (const char *@var{filename})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ @cindex directories, deleting
+ @cindex deleting a directory
+ The @code{rmdir} function deletes a directory.  The directory must be
+@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int remove (const char *@var{filename})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Calls unlink and rmdir.
+ This is the @w{ISO C} function to remove a file.  It works like
+ @code{unlink} for files and like @code{rmdir} for directories.
+ @code{remove} is declared in @file{stdio.h}.
+@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a rename syscall, there's an emulation with link
++@c and unlink, but it's racy, even more so if newname exists and is
++@c unlinked first.
+ The @code{rename} function renames the file @var{oldname} to
+ @var{newname}.  The file formerly accessible under the name
+ @var{oldname} is afterwards accessible as @var{newname} instead.  (If
+@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{mkdir} function creates a new, empty directory with name
+ @var{filename}.
+ 
+@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{stat} function returns information about the attributes of the
+ file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
+ 
+@@ -1875,6 +1987,7 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{stat} but it is also able to work on
+ files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ this the result is stored in a variable of type @code{struct stat64} to
+@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fstat} function is like @code{stat}, except that it takes an
+ open file descriptor as an argument instead of a file name.
+ @xref{Low-Level I/O}.
+@@ -1909,6 +2023,7 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{fstat} but is able to work on large
+ files on 32-bit platforms.  For large files the file descriptor
+ @var{filedes} should be obtained by @code{open64} or @code{creat64}.
+@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
+ replaces the interface for small files on 32-bit machines.
+ @end deftypefun
+ 
++@c fstatat will call alloca and snprintf if the syscall is not
++@c available.
++@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct system call through lxstat, sometimes with an xstat conv call
++@c afterwards.
+ The @code{lstat} function is like @code{stat}, except that it does not
+ follow symbolic links.  If @var{filename} is the name of a symbolic
+ link, @code{lstat} returns information about the link itself; otherwise
+@@ -1936,6 +2058,9 @@ replaces the normal implementation.
+ @comment sys/stat.h
+ @comment Unix98
+ @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct system call through lxstat64, sometimes with an xstat conv
++@c call afterwards.
+ This function is similar to @code{lstat} but it is also able to work on
+ files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
+ this the result is stored in a variable of type @code{struct stat64} to
+@@ -1974,12 +2099,14 @@ that file:
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISDIR (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a directory.
+ @end deftypefn
+ 
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISCHR (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a character special file (a
+ device like a terminal).
+ @end deftypefn
+@@ -1987,6 +2114,7 @@ device like a terminal).
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISBLK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a block special file (a device
+ like a disk).
+ @end deftypefn
+@@ -1994,12 +2122,14 @@ like a disk).
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISREG (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a regular file.
+ @end deftypefn
+ 
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_ISFIFO (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a FIFO special file, or a
+ pipe.  @xref{Pipes and FIFOs}.
+ @end deftypefn
+@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefn Macro int S_ISLNK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a symbolic link.
+ @xref{Symbolic Links}.
+ @end deftypefn
+@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefn Macro int S_ISSOCK (mode_t @var{m})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns non-zero if the file is a socket.  @xref{Sockets}.
+ @end deftypefn
+ 
+@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX message queues as distinct objects and the
+ file is a message queue object, this macro returns a non-zero value.
+ In all other cases the result is zero.
+@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX semaphores as distinct objects and the
+ file is a semaphore object, this macro returns a non-zero value.
+ In all other cases the result is zero.
+@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
+ @comment sys/stat.h
+ @comment POSIX
+ @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ If the system implement POSIX shared memory objects as distinct objects
+ and the file is an shared memory object, this macro returns a non-zero
+ value.  In all other cases the result is zero.
+@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{chown} function changes the owner of the file @var{filename} to
+ @var{owner}, and its group owner to @var{group}.
+ 
+@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is like @code{chown}, except that it changes the owner of the open
+ file with descriptor @var{filedes}.
+ 
+@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun mode_t umask (mode_t @var{mask})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{umask} function sets the file creation mask of the current
+ process to @var{mask}, and returns the previous value of the file
+ creation mask.
+@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
+ @comment sys/stat.h
+ @comment GNU
+ @deftypefun mode_t getumask (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ Return the current value of the file creation mask for the current
+ process.  This function is a GNU extension and is only available on
+ @gnuhurdsystems{}.
+@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
+ @comment sys/stat.h
+ @comment POSIX.1
+ @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{chmod} function sets the access permission bits for the file
+ named by @var{filename} to @var{mode}.
+ 
+@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This is like @code{chmod}, except that it changes the permissions of the
+ currently open file given by @var{filedes}.
+ 
+@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int access (const char *@var{filename}, int @var{how})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{access} function checks to see whether the file named by
+ @var{filename} can be accessed in the way specified by the @var{how}
+ argument.  The @var{how} argument either can be the bitwise OR of the
+@@ -2732,6 +2874,9 @@ This is the modification time for the file.
+ @comment utime.h
+ @comment POSIX.1
+ @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a utime syscall, it non-atomically converts times
++@c to a struct timeval and calls utimes.
+ This function is used to modify the file times associated with the file
+ named @var{filename}.
+ 
+@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c In the absence of a utimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall, or to
++@c struct utimbuf and calls utime.
+ This function sets the file access and modification times of the file
+ @var{filename}.  The new file access time is specified by
+ @code{@var{tvp}[0]}, and the new modification time by
+@@ -2797,6 +2946,9 @@ function.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Since there's no lutimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall.
+ This function is like @code{utimes}, except that it does not follow
+ symbolic links.  If @var{filename} is the name of a symbolic link,
+ @code{lutimes} sets the file access and modification times of the
+@@ -2813,6 +2965,10 @@ function.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Since there's no futimes syscall, it non-atomically converts tvp
++@c to struct timespec array and issues a utimensat syscall, falling back
++@c to utimes on a /proc/self/fd symlink.
+ This function is like @code{utimes}, except that it takes an open file
+ descriptor as an argument instead of a file name.  @xref{Low-Level
+ I/O}.  This function comes from FreeBSD, and is not available on all
+@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
+ @comment unistd.h
+ @comment X/Open
+ @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a truncate syscall, we use open and ftruncate.
+ 
+ The @code{truncate} function changes the size of @var{filename} to
+ @var{length}.  If @var{length} is shorter than the previous length, data
+@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a syscall, try truncate if length fits.
+ This function is similar to the @code{truncate} function.  The
+ difference is that the @var{length} argument is 64 bits wide even on 32
+ bits machines, which allows the handling of files with sizes up to
+@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
+ @comment unistd.h
+ @comment POSIX
+ @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ This is like @code{truncate}, but it works on a file descriptor @var{fd}
+ for an opened file instead of a file name to identify the object.  The
+@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c In the absence of a syscall, try ftruncate if length fits.
+ This function is similar to the @code{ftruncate} function.  The
+ difference is that the @var{length} argument is 64 bits wide even on 32
+ bits machines which allows the handling of files with sizes up to
+@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
+ @comment sys/stat.h
+ @comment BSD
+ @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Instead of issuing the syscall directly, we go through xmknod.
++@c Although the internal xmknod takes a dev_t*, that could lead to
++@c xguargs races, it's passed a pointer to mknod's dev.
+ The @code{mknod} function makes a special file with name @var{filename}.
+ The @var{mode} specifies the mode of the file, and may include the various
+ special file bits, such as @code{S_IFCHR} (for a character special file)
+@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {FILE *} tmpfile (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
++@c The unsafety issues are those of fdopen, plus fdleak because of the
++@c open.
++@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
++@c  libc_secure_genenv only if try_tmpdir
++@c  xstat64, strlen, strcmp, sprintf
++@c __gen_tempname (internal tmpl, __GT_FILE) ok
++@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
++@c  HP_TIMING_NOW if available ok
++@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
++@c  static value is used and modified without synchronization ok
++@c   but the use is as a source of non-cryptographic randomness
++@c   with retries in case of collision, so it should be safe
++@c unlink, fdopen
+ This function creates a temporary binary file for update mode, as if by
+ calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
+ automatically when it is closed or when the program terminates.  (On
+@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun {FILE *} tmpfile64 (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+ This function is similar to @code{tmpfile}, but the stream it returns a
+ pointer to was opened using @code{tmpfile64}.  Therefore this stream can
+ be used for files larger then @math{2^31} bytes on 32-bit machines.
+@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {char *} tmpnam (char *@var{result})
++@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
++@c The passed-in buffer should not be modified concurrently with the
++@c call.
++@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
++@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+ This function constructs and returns a valid file name that does not
+ refer to any existing file.  If the @var{result} argument is a null
+ pointer, the return value is a pointer to an internal static string,
+@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {char *} tmpnam_r (char *@var{result})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+ This function is nearly identical to the @code{tmpnam} function, except
+ that if @var{result} is a null pointer it returns a null pointer.
+ 
+@@ -3192,6 +3380,13 @@ never less than @code{25}.
+ @comment stdio.h
+ @comment SVID
+ @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
++@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
++@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
++@c even with a non-NULL dir, which makes this thread-unsafe.
++@c
++@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
++@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
++@c strdup
+ This function generates a unique temporary file name.  If @var{prefix}
+ is not a null pointer, up to five characters of this string are used as
+ a prefix for the file name.  The return value is a string newly
+@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
+ @comment stdlib.h
+ @comment Unix
+ @deftypefun {char *} mktemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
++@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
+ The @code{mktemp} function generates a unique file name by modifying
+ @var{template} as described above.  If successful, it returns
+ @var{template} as modified.  If @code{mktemp} cannot find a unique file
+@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun int mkstemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
++@c __gen_tempname (caller tmpl, __GT_FILE) ok
+ The @code{mkstemp} function generates a unique file name just as
+ @code{mktemp} does, but it also opens the file for you with @code{open}
+ (@pxref{Opening and Closing Files}).  If successful, it modifies
+@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
+ @comment stdlib.h
+ @comment BSD
+ @deftypefun {char *} mkdtemp (char *@var{template})
++@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
++@c __gen_tempname (caller tmpl, __GT_DIR) ok
+ The @code{mkdtemp} function creates a directory with a unique name.  If
+ it succeeds, it overwrites @var{template} with the name of the
+ directory, and returns @var{template}.  As with @code{mktemp} and
+@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
+ @xref{Creating Directories}.
+ 
+ The @code{mkdtemp} function comes from OpenBSD.
++
++@c FIXME these are undocumented:
++@c faccessat
++@c fchmodat
++@c fchownat
++@c futimesat
++@c fstatat
++@c linkat
++@c mkdirat
++@c mkfifoat
++@c name_to_handle_at
++@c openat
++@c open_by_handle_at
++@c readlinkat
++@c renameat
++@c scandirat
++@c symlinkat
++@c unlinkat
++@c utimensat
++@c mknodat
+diff --git a/manual/getopt.texi b/manual/getopt.texi
+index f0b7283..3c1f4de 100644
+--- a/manual/getopt.texi
++++ b/manual/getopt.texi
+@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
+ @comment unistd.h
+ @comment POSIX.2
+ @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
++@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
++@c It may swap argv elements but argv is not guarded, and the
++@c modifications may be partial in case of cancellation.  Calling getenv
++@c also brings about thread-safety issues out of access and returning
++@c pointers into the globally shared environment array, just like
++@c calling gettext brings about a whole lot of AS and AC safety issues.
++@c The getopt API involves returning values in the non-thread-specific
++@c optarg variable, which adds another thread-safety issue.  Given
++@c print_errors, it may output errors to stderr, which may
++@c self-deadlock, leak locks, or encounter (in a signal handler) or
++@c leave (in case of cancellation) stderr in an inconsistent state.
++@c Various implicit, indirect uses of malloc, in uses of memstream and
++@c asprintf for error-printing, bring about the usual malloc issues.
++@c (The explicit use of malloc in a conditional situation in
++@c _getopt_initialize is never exercised in glibc.)
++@c
++@c _getopt_internal
++@c  _getopt_internal_r
++@c   gettext
++@c   _getopt_initialize
++@c    getenv
++@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
++@c   open_memstream
++@c   lockfile, unlockfile, __fxprintf -> stderr
++@c   asprintf
+ The @code{getopt} function gets the next option argument from the
+ argument list specified by the @var{argv} and @var{argc} arguments.
+ Normally these values come directly from the arguments received by
+@@ -225,6 +250,8 @@ was seen.
+ @comment getopt.h
+ @comment GNU
+ @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
++@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
++@c Same issues as getopt.
+ Decode options from the vector @var{argv} (whose length is @var{argc}).
+ The argument @var{shortopts} describes the short options to accept, just as
+ it does in @code{getopt}.  The argument @var{longopts} describes the long
+@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
+ @comment getopt.h
+ @comment GNU
+ @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
++@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
++@c Same issues as getopt.
+ 
+ The @code{getopt_long_only} function is equivalent to the
+ @code{getopt_long} function but it allows to specify the user of the
+diff --git a/manual/intro.texi b/manual/intro.texi
+index 2630a77..e47832c 100644
+--- a/manual/intro.texi
++++ b/manual/intro.texi
+@@ -262,6 +262,28 @@ if the effective thread-local locale is not the global locale object
+ @code{setlocale} should not be called while these functions are active.
+ 
+ 
++@item @code{envromt}
++@cindex envromt
++
++Functions marked with @code{envromt} access the environment with
++@code{getenv} or similar, requiring the environment to be effectively
++read-only for MT-Safe operation.
++
++Environment-modifying functions do not protect in any way against
++concurrent modifications or access, so calling @code{envromt}-marked
++functions concurrently with @code{setenv}, @code{putenv},
++@code{unsetenv} or direct modifications of the global environment data
++structures is ill-advised; external concurrency control must be
++introduced by callers of these environment-modifying and
++@code{envromt}-marked functions.
++
++Functions that modify the environment are also marked with
++@code{envromt}, but they are not MT-Safe for the reasons above.  Since
++all environment-modifying functions are MT-Unsafe, functions that only
++access the environment are marked as MT-Safe when no other safety issue
++applies.
++
++
+ @item @code{uunguard}
+ @cindex uunguard
+ 
+@@ -291,6 +313,42 @@ AS-Safe behavior, callers must ensure that the objects passed in are not
+ modified concurrently by other threads or signal handlers.
+ 
+ 
++@item @code{tempchwd}
++@cindex tempchwd
++
++Functions marked with @code{tempchwd} may temporarily change the current
++working directory during their execution, which may cause relative
++pathnames to be resolved in unexpected ways in other threads or within
++asynchronous signal or cancellation handlers.
++
++This is not enough of a reason to mark so-marked functions as MT-Unsafe,
++but when this behavior is optional (e.g., @code{nftw} with
++@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
++a good alternative to using full pathnames or file descriptor-relative
++(e.g. @code{openat}) system calls.
++
++
++@item @code{tempterm}
++@cindex tempterm
++
++Functions marked with @code{tempterm} may temporarily change the
++terminal settings.
++
++This would not be enough of a reason to mark so-marked functions as
++MT-Unsafe, but the recommended mode to modify terminal settings is to
++call @code{tcgetattr}, modify some flags, and then call
++@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
++they leave a window in which changes made by other threads are lost.
++
++It is thus advisable for applications using the terminal to avoid
++concurrent interactions with it, more so if they expect different
++terminal modes.
++
++If this mark appears as an AC-Safety note, it means the function may
++also fail to restore the original terminal mode in case of asynchronous
++cancellation.
++
++
+ @end itemize
+ 
+ 
+@@ -305,11 +363,37 @@ as follows:
+ 
+ Functions annotated with @code{staticbuf} use internal static buffers or
+ variables in ways that may cause concurrent calls to interfere
+-destructively.
++destructively.  
+ 
+ These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+ offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+ 
++In many of these cases, the static buffer is only used to hold a return
++value; in a few of these, such as @code{tmpnam}, the use of the internal
++buffer can be avoided by passing the buffer as an argument, which makes
++the call MT-Safe and AS-Safe.
++
++
++@item @code{asi18n}
++@cindex asi18n
++
++Functions marked with @code{asi18n} use internationalization functions
++(@code{gettext}), which brings in a number of dependencies and issues
++yet to be documented.
++
++
++@item @code{shlimb}
++@cindex shlimb
++
++Functions marked with @code{shlimb} use the dynamic loader to bring in
++additional code modules.  This involves opening files, mapping them into
++memory, allocating additional memory, resolving symbols, applying
++relocations and more, all of this while holding the dynamic loader
++lock.  
++
++The non-recursive lock itself is enough for the function to be AS- and
++AC-Unsafe, but many other issues may arise.
++
+ 
+ @item @code{fdleak}
+ @cindex fdleak
+@@ -390,9 +474,8 @@ For the reasons above, functions that leak locks are all AC-Unsafe.
+ Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ ensure MT-Safety while modifying data structures guarded by the lock.
+ 
+-If such a function is interrupted by a signal while holding the lock,
+-and the signal handler calls any function that takes the same
+-non-recursive lock, the result is a deadlock.
++If such a function is called by a signal handler that interrupted
++another such function that took the lock, the result is a deadlock.
+ 
+ Blocking asynchronous signal delivery while calling such functions is
+ the only safe way to avoid a deadlock if any signal handler might need
+@@ -406,10 +489,9 @@ Functions marked with @code{asynconsist} take a recursive lock to ensure
+ MT-Safety while accessing or modifying data structures guarded by the
+ lock.
+ 
+-If such a function is interrupted by a signal while holding the lock,
+-and the signal handler calls any function that takes the same
+-non-recursive lock, the latter function may observe a partially updated,
+-inconsistent data structure, and misbehave.
++If such a function is called by a signal handler that interrupted
++another such function that took the lock, both may misbehave for
++observing inconsistent (partially updated or cached) data structures.
+ 
+ Blocking asynchronous signal delivery while calling such functions is
+ the only safe way to avoid the misbehavior that may ensue if any signal
+@@ -444,6 +526,21 @@ Disabling asynchronous cancelation while calling such functions is the
+ only safe way to avoid the misbehavior that may ensure if the thread is
+ canceled while the function is running.
+ 
++@c A special case, probably not worth documenting separately, involves
++@c reallocing, or even freeing pointers.  Any case involving free could
++@c be easily turned into an ac-safe memleak by resetting the pointer
++@c before releasing it; I don't think we have any case that calls for
++@c this sort of fixing.  Fixing the realloc cases would require a new
++@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
++@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
++@c before releasing the old memory.  The ac-unsafe realloc could be
++@c implemented in terms of an internal interface with this semantics
++@c (say __acsafe_realloc), but since realloc can be overridden, the
++@c function we call to implement realloc should not be this internal
++@c interface, but another internal interface that calls __acsafe_realloc
++@c if realloc was not overridden, and calls the overridden realloc with
++@c async cancel disabled.  --lxoliva
++
+ 
+ @item @code{simfpu}
+ @cindex simfpu
+diff --git a/manual/job.texi b/manual/job.texi
+index 4efeed3..779ea96 100644
+--- a/manual/job.texi
++++ b/manual/job.texi
+@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
+ @comment stdio.h
+ @comment POSIX.1
+ @deftypefun {char *} ctermid (char *@var{string})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This function is a stub by default; the actual implementation, for
++@c posix systems, returns an internal buffer if passed a NULL string,
++@c but the internal buffer is always set to /dev/tty.
+ The @code{ctermid} function returns a string containing the file name of
+ the controlling terminal for the current process.  If @var{string} is
+ not a null pointer, it should be an array that can hold at least
+@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun pid_t setsid (void)
++@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
++@c This is usually a direct syscall, but if a syscall is not available,
++@c we use a stub, or Hurd- and BSD-specific implementations.  The former
++@c uses a mutex and a hurd critical section, and the latter issues a few
++@c syscalls, so both seem safe, except for the locking on Hurd.
+ The @code{setsid} function creates a new session.  The calling process
+ becomes the session leader, and is put in a new process group whose
+ process group ID is the same as the process ID of that process.  There
+@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
+ @comment unistd.h
+ @comment SVID
+ @deftypefun pid_t getsid (pid_t @var{pid})
+-
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub or direct syscall, except on hurd, where it is equally safe.
+ The @code{getsid} function returns the process group ID of the session
+ leader of the specified process.  If a @var{pid} is @code{0}, the
+ process group ID of the session leader of the current process is
+@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Wrapper for getpgid.
+ The POSIX.1 definition of @code{getpgrp} returns the process group ID of
+ the calling process.
+ @end deftypefn
+@@ -1141,6 +1153,8 @@ the calling process.
+ @comment unistd.h
+ @comment BSD
+ @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Wrapper for getpgid.
+ The BSD definition of @code{getpgrp} returns the process group ID of the
+ process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
+ argument to get information about the calling process.
+@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
+ @comment unistd.h
+ @comment SVID
+ @deftypefn {System V Function} int getpgid (pid_t @var{pid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub or direct syscall, except on hurd, where it is equally safe.
+ 
+ @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
+ returns the process group ID of the process @var{pid}.  You can supply a
+@@ -1171,6 +1187,8 @@ process.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub or direct syscall, except on hurd, where it is equally safe.
+ The @code{setpgid} function puts the process @var{pid} into the process
+ group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
+ be zero to indicate the process ID of the calling process.
+@@ -1208,6 +1226,8 @@ process or a child of the calling process.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct syscall or setpgid wrapper.
+ This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
+ the same thing.
+ @end deftypefun
+@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun pid_t tcgetpgrp (int @var{filedes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub, or ioctl on BSD and GNU/Linux.
+ This function returns the process group ID of the foreground process
+ group associated with the terminal open on descriptor @var{filedes}.
+ 
+@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Stub, or ioctl on BSD and GNU/Linux.
+ This function is used to set a terminal's foreground process group ID.
+ The argument @var{filedes} is a descriptor which specifies the terminal;
+ @var{pgid} specifies the process group.  The calling process must be a
+@@ -1297,6 +1321,8 @@ process.
+ @comment termios.h
+ @comment Unix98
+ @deftypefun pid_t tcgetsid (int @var{fildes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
+ This function is used to obtain the process group ID of the session
+ for which the terminal specified by @var{fildes} is the controlling terminal.
+ If the call is successful the group ID is returned.  Otherwise the
+diff --git a/manual/lang.texi b/manual/lang.texi
+index ee04e23..d6cd90c 100644
+--- a/manual/lang.texi
++++ b/manual/lang.texi
+@@ -51,6 +51,8 @@ without indicating anything might be wrong.
+ @comment assert.h
+ @comment ISO
+ @deftypefn Macro void assert (int @var{expression})
++@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
++@c assert_fail_base calls asprintf, and fflushes stderr.
+ Verify the programmer's belief that @var{expression} is nonzero at
+ this point in the program.
+ 
+@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
+ @comment assert.h
+ @comment GNU
+ @deftypefn Macro void assert_perror (int @var{errnum})
++@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
++@c assert_fail_base calls asprintf, and fflushes stderr.
+ Similar to @code{assert}, but verifies that @var{errnum} is zero.
+ 
+ If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
+@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
+ @comment stdarg.h
+ @comment ISO
+ @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ This macro initializes the argument pointer variable @var{ap} to point
+ to the first of the optional arguments of the current function;
+ @var{last-required} must be the last required argument to the function.
+@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
+ @comment stdarg.h
+ @comment ISO
+ @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ The @code{va_arg} macro returns the value of the next optional argument,
+ and modifies the value of @var{ap} to point to the subsequent argument.
+ Thus, successive uses of @code{va_arg} return successive optional
+@@ -445,6 +453,8 @@ of the actual argument.
+ @comment stdarg.h
+ @comment ISO
+ @deftypefn {Macro} void va_end (va_list @var{ap})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ This ends the use of @var{ap}.  After a @code{va_end} call, further
+ @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
+ @code{va_end} before returning from the function in which @code{va_start}
+@@ -466,6 +476,8 @@ of the same type.
+ @comment ISO
+ @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
+ @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ The @code{va_copy} macro allows copying of objects of type
+ @code{va_list} even if this is not an integral type.  The argument pointer
+ in @var{dest} is initialized to point to the same argument as the
+@@ -1212,6 +1224,8 @@ type of a particular structure member.
+ @comment stddef.h
+ @comment ISO
+ @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is no longer provided by glibc, but rather by the compiler.
+ This expands to a integer constant expression that is the offset of the
+ structure member named @var{member} in the structure type @var{type}.
+ For example, @code{offsetof (struct s, elem)} is the offset, in bytes,
+diff --git a/manual/libdl.texi b/manual/libdl.texi
+new file mode 100644
+index 0000000..e3fe045
+--- /dev/null
++++ b/manual/libdl.texi
+@@ -0,0 +1,10 @@
++@c FIXME these are undocumented:
++@c dladdr
++@c dladdr1
++@c dlclose
++@c dlerror
++@c dlinfo
++@c dlmopen
++@c dlopen
++@c dlsym
++@c dlvsym
+diff --git a/manual/llio.texi b/manual/llio.texi
+index b129cf4..66370c4 100644
+--- a/manual/llio.texi
++++ b/manual/llio.texi
+@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
+ @comment fcntl.h
+ @comment POSIX.1
+ @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ The @code{open} function creates and returns a new file descriptor for
+ the file named by @var{filename}.  Initially, the file position
+ indicator for the file is at the beginning of the file.  The argument
+@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
+ @comment fcntl.h
+ @comment Unix98
+ @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ This function is similar to @code{open}.  It returns a file descriptor
+ which can be used to access the file named by @var{filename}.  The only
+ difference is that on 32 bit systems the file is opened in the
+@@ -178,6 +180,7 @@ replaces the old API.
+ @comment fcntl.h
+ @comment POSIX.1
+ @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ This function is obsolete.  The call:
+ 
+ @smallexample
+@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
+ @comment fcntl.h
+ @comment Unix98
+ @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ This function is similar to @code{creat}.  It returns a file descriptor
+ which can be used to access the file named by @var{filename}.  The only
+ the difference is that on 32 bit systems the file is opened in the
+@@ -219,6 +223,7 @@ replaces the old API.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int close (int @var{filedes})
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+ The function @code{close} closes the file descriptor @var{filedes}.
+ Closing a file has the following consequences:
+ 
+@@ -300,6 +305,7 @@ but must be a signed type.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{read} function reads up to @var{size} bytes from the file
+ with descriptor @var{filedes}, storing the results in the @var{buffer}.
+ (This is not necessarily a character string, and no terminating null
+@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
++@c is not MT-Safe because it uses lseek, read and lseek back, but is it
++@c used anywhere?
+ The @code{pread} function is similar to the @code{read} function.  The
+ first three arguments are identical, and the return values and error
+ codes also correspond.
+@@ -430,6 +440,10 @@ version 2.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
++@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
++@c it used anywhere?
+ This function is similar to the @code{pread} function.  The difference
+ is that the @var{offset} parameter is of type @code{off64_t} instead of
+ @code{off_t} which makes it possible on 32 bit machines to address
+@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{write} function writes up to @var{size} bytes from
+ @var{buffer} to the file with descriptor @var{filedes}.  The data in
+ @var{buffer} is not necessarily a character string and a null character is
+@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
++@c is not MT-Safe because it uses lseek, write and lseek back, but is it
++@c used anywhere?
+ The @code{pwrite} function is similar to the @code{write} function.  The
+ first three arguments are identical, and the return values and error codes
+ also correspond.
+@@ -592,6 +611,10 @@ version 2.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
++@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
++@c is it used anywhere?
+ This function is similar to the @code{pwrite} function.  The difference
+ is that the @var{offset} parameter is of type @code{off64_t} instead of
+ @code{off_t} which makes it possible on 32 bit machines to address
+@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{lseek} function is used to change the file position of the
+ file with descriptor @var{filedes}.
+ 
+@@ -713,6 +737,7 @@ descriptors.
+ @comment unistd.h
+ @comment Unix98
+ @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to the @code{lseek} function.  The difference
+ is that the @var{offset} parameter is of type @code{off64_t} instead of
+ @code{off_t} which makes it possible on 32 bit machines to address
+@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
+ @comment stdio.h
+ @comment POSIX.1
+ @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+ The @code{fdopen} function returns a new stream for the file descriptor
+ @var{filedes}.
+ 
+@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
+ @comment stdio.h
+ @comment POSIX.1
+ @deftypefun int fileno (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function returns the file descriptor associated with the stream
+ @var{stream}.  If an error is detected (for example, if the @var{stream}
+ is not valid) or if @var{stream} does not do I/O to a file,
+@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
+ @comment stdio.h
+ @comment GNU
+ @deftypefun int fileno_unlocked (FILE *@var{stream})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fileno_unlocked} function is equivalent to the @code{fileno}
+ function except that it does not implicitly lock the stream if the state
+ is @code{FSETLOCKING_INTERNAL}.
+@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
+ @comment sys/uio.h
+ @comment BSD
+ @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+-
++@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++@c The fallback sysdeps/posix implementation, used even on GNU/Linux
++@c with old kernels that lack a full readv/writev implementation, may
++@c malloc the buffer into which data is read, if the total read size is
++@c too large for alloca.
+ The @code{readv} function reads data from @var{filedes} and scatters it
+ into the buffers described in @var{vector}, which is taken to be
+ @var{count} structures long.  As each buffer is filled, data is sent to the
+@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
+ @comment sys/uio.h
+ @comment BSD
+ @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
++@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++@c The fallback sysdeps/posix implementation, used even on GNU/Linux
++@c with old kernels that lack a full readv/writev implementation, may
++@c malloc the buffer from which data is written, if the total write size
++@c is too large for alloca.
+ 
+ The @code{writev} function gathers data from the buffers described in
+ @var{vector}, which is taken to be @var{count} structures long, and writes
+@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
+ @comment sys/mman.h
+ @comment POSIX
+ @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The @code{mmap} function creates a new mapping, connected to bytes
+ (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
+@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
+ @comment sys/mman.h
+ @comment LFS
+ @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
++@c is) would be thread-unsafe.
+ The @code{mmap64} function is equivalent to the @code{mmap} function but
+ the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
+ this allows the file associated with the @var{filedes} descriptor to be
+@@ -1284,6 +1325,7 @@ replaces the old API.
+ @comment sys/mman.h
+ @comment POSIX
+ @deftypefun int munmap (void *@var{addr}, size_t @var{length})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
+ @var{length}).  @var{length} should be the length of the mapping.
+@@ -1310,6 +1352,7 @@ aligned.
+ @comment sys/mman.h
+ @comment POSIX
+ @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ When using shared mappings, the kernel can write the file at any time
+ before the mapping is removed.  To be certain data has actually been
+@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
+ @comment sys/mman.h
+ @comment GNU
+ @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ This function can be used to change the size of an existing memory
+ area. @var{address} and @var{length} must cover a region entirely mapped
+@@ -1405,6 +1449,7 @@ Coding Standards}.
+ @comment sys/mman.h
+ @comment POSIX
+ @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ This function can be used to provide the system with @var{advice} about
+ the intended usage patterns of the memory region starting at @var{addr}
+@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefn Macro void FD_ZERO (fd_set *@var{set})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro initializes the file descriptor set @var{set} to be the
+ empty set.
+ @end deftypefn
+@@ -1538,6 +1584,9 @@ empty set.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Setting a bit isn't necessarily atomic, so there's a potential race
++@c here if set is not used exclusively.
+ This macro adds @var{filedes} to the file descriptor set @var{set}.
+ 
+ The @var{filedes} parameter must not have side effects since it is
+@@ -1547,6 +1596,9 @@ evaluated more than once.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Setting a bit isn't necessarily atomic, so there's a potential race
++@c here if set is not used exclusively.
+ This macro removes @var{filedes} from the file descriptor set @var{set}.
+ 
+ The @var{filedes} parameter must not have side effects since it is
+@@ -1556,6 +1608,7 @@ evaluated more than once.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This macro returns a nonzero value (true) if @var{filedes} is a member
+ of the file descriptor set @var{set}, and zero (false) otherwise.
+ 
+@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
+ @comment sys/types.h
+ @comment BSD
+ @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c The select syscall is preferred, but pselect6 may be used instead,
++@c which requires converting timeout to a timespec and back.  The
++@c conversions are not atomic.
+ The @code{select} function blocks the calling process until there is
+ activity on any of the specified sets of file descriptors, or until the
+ timeout period has expired.
+@@ -1670,6 +1727,7 @@ they return.
+ @comment unistd.h
+ @comment X/Open
+ @deftypefun void sync (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ A call to this function will not return as long as there is data which
+ has not been written to the device.  All dirty buffers in the kernel will
+ be written and so an overall consistent system can be achieved (if no
+@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
+ @comment unistd.h
+ @comment POSIX
+ @deftypefun int fsync (int @var{fildes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fsync} function can be used to make sure all data associated with
+ the open file @var{fildes} is written to the device associated with the
+ descriptor.  The function call does not return unless all actions have
+@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
+ @comment unistd.h
+ @comment POSIX
+ @deftypefun int fdatasync (int @var{fildes})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ When a call to the @code{fdatasync} function returns, it is ensured
+ that all of the file data is written to the device.  For all pending I/O
+ operations, the parts guaranteeing data integrity finished.
+@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_read (struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c Calls aio_enqueue_request.
++@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
++@c  pthread_self ok
++@c  pthread_getschedparam selfdeadlock, lockleak
++@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
++@c   sched_getparam ok
++@c   sched_getscheduler ok
++@c   lll_unlock lockleak
++@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
++@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
++@c   realloc asmalloc, memleak
++@c   calloc asmalloc, memleak
++@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
++@c   pthread_attr_init ok
++@c   pthread_attr_setdetachstate ok
++@c   pthread_get_minstack ok
++@c   pthread_attr_setstacksize ok
++@c   sigfillset ok
++@c    memset ok
++@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
++@c   SYSCALL rt_sigprocmask ok
++@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
++@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
++@c    alloca/malloc asmalloc, memleak
++@c    lll_unlock lockleak
++@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
++@c     getpagesize dup
++@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
++@c     lll_unlock lockleak
++@c     _dl_allocate_tls asmalloc, memleak
++@c      _dl_allocate_tls_storage asmalloc, memleak
++@c       memalign asmalloc, memleak
++@c       memset ok
++@c       allocate_dtv dup
++@c       free asmalloc, memleak
++@c      allocate_dtv asmalloc, memleak
++@c       calloc asmalloc, memleak
++@c       INSTALL_DTV ok
++@c     list_add dup
++@c     get_cached_stack
++@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
++@c      list_for_each ok
++@c      list_entry dup
++@c      FREE_P dup
++@c      stack_list_del dup
++@c      stack_list_add dup
++@c      lll_unlock lockleak
++@c      _dl_allocate_tls_init ok
++@c       GET_DTV ok
++@c     mmap ok
++@c     atomic_increment_val ok
++@c     munmap ok
++@c     change_stack_perm ok
++@c      mprotect ok
++@c     mprotect ok
++@c     stack_list_del dup
++@c     _dl_deallocate_tls dup
++@c     munmap ok
++@c    THREAD_COPY_STACK_GUARD ok
++@c    THREAD_COPY_POINTER_GUARD ok
++@c    atomic_exchange_acq ok
++@c    lll_futex_wake ok
++@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
++@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
++@c     stack_list_del ok
++@c      atomic_write_barrier ok
++@c      list_del ok [uunguard]
++@c      atomic_write_barrier ok
++@c     queue_stack asmalloc, memleak
++@c      stack_list_add ok
++@c       atomic_write_barrier ok
++@c       list_add ok [uunguard]
++@c       atomic_write_barrier ok
++@c      free_stacks asmalloc, memleak
++@c       list_for_each_prev_safe ok
++@c       list_entry ok
++@c       FREE_P ok
++@c       stack_list_del dup
++@c       _dl_deallocate_tls dup
++@c       munmap ok
++@c     _dl_deallocate_tls asmalloc, memleak
++@c      free asmalloc, memleak
++@c     lll_unlock lockleak
++@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
++@c     td_eventword
++@c     td_eventmask
++@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
++@c      PREPARE_CREATE ok
++@c      lll_lock (pd->lock) selfdeadlock, lockleak
++@c      atomic_increment ok
++@c      clone ok
++@c      atomic_decrement ok
++@c      atomic_exchange_acq ok
++@c      lll_futex_wake ok
++@c      deallocate_stack dup
++@c      sched_setaffinity ok
++@c      tgkill ok
++@c      sched_setscheduler ok
++@c     atomic_compare_and_exchange_bool_acq ok
++@c     nptl_create_event ok
++@c     lll_unlock (pd->lock) lockleak
++@c    free asmalloc, memleak
++@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
++@c  add_request_to_runlist ok [xguargs]
++@c  pthread_cond_signal ok
++@c  aio_free_request ok [xguargs]
++@c  pthread_mutex_unlock lockleak
++
++@c (in the new thread, initiated with clone)
++@c    start_thread ok
++@c     HP_TIMING_NOW ok
++@c     ctype_init [glocale] (in theory, but optimized into safety)
++@c     atomic_exchange_acq ok
++@c     lll_futex_wake ok
++@c     sigemptyset ok
++@c     sigaddset ok
++@c     setjmp ok
++@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
++@c      do_cancel ok
++@c       pthread_unwind ok
++@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
++@c     lll_lock selfdeadlock, lockleak
++@c     lll_unlock selfdeadlock, lockleak
++@c     CANCEL_RESET -> pthread_disable_asynccancel ok
++@c      lll_futex_wait ok
++@c     ->start_routine ok -----
++@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
++@c      user-supplied dtor
++@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
++@c      rtld_lock_unlock_recursive lockleak
++@c      free asmalloc, memleak
++@c     nptl_deallocate_tsd asmalloc, memleak
++@c      tsd user-supplied dtors ok
++@c      free asmalloc, memleak
++@c     libc_thread_freeres
++@c      libc_thread_subfreeres ok
++@c     atomic_decrement_and_test ok
++@c     td_eventword ok
++@c     td_eventmask ok
++@c     atomic_compare_exchange_bool_acq ok
++@c     nptl_death_event ok
++@c     lll_robust_dead ok
++@c     getpagesize ok
++@c     madvise ok
++@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
++@c      free asmalloc, memleak
++@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
++@c     lll_futex_wait ok
++@c     exit_thread_inline ok
++@c      syscall(exit) ok
++
+ This function initiates an asynchronous read operation.  It
+ immediately returns after the operation was enqueued or when an
+ error was encountered.
+@@ -1988,6 +2200,7 @@ replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to the @code{aio_read} function.  The only
+ difference is that on @w{32 bit} machines, the file descriptor should
+ be opened in the large file mode.  Internally, @code{aio_read64} uses
+@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_write (struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function initiates an asynchronous write operation.  The function
+ call immediately returns after the operation was enqueued or if before
+ this happens an error was encountered.
+@@ -2072,6 +2286,7 @@ replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to the @code{aio_write} function.  The only
+ difference is that on @w{32 bit} machines the file descriptor should
+ be opened in the large file mode.  Internally @code{aio_write64} uses
+@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
++@c enqueues each request.  Then, it waits for notification or prepares
++@c for it before releasing the lock.  Even though it performs memory
++@c allocation and locking of its own, it doesn't add any classes of
++@c safety issues that aren't already covered by aio_enqueue_request.
+ The @code{lio_listio} function can be used to enqueue an arbitrary
+ number of read and write requests at one time.  The requests can all be
+ meant for the same file, all for different files or every solution in
+@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to the @code{lio_listio} function.  The only
+ difference is that on @w{32 bit} machines, the file descriptor should
+ be opened in the large file mode.  Internally, @code{lio_listio64} uses
+@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function determines the error state of the request described by the
+ @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
+ request has not yet terminated the value returned is always
+@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{aio_error} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2238,6 +2462,7 @@ machines.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function can be used to retrieve the return status of the operation
+ carried out by the request described in the variable pointed to by
+ @var{aiocbp}.  As long as the error status of this request as returned
+@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function is similar to @code{aio_return} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c After fcntl to check that the FD is open, it calls
++@c aio_enqueue_request.
+ Calling this function forces all I/O operations operating queued at the
+ time of the function call operating on the file descriptor
+ @code{aiocbp->aio_fildes} into the synchronized I/O completion state
+@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to @code{aio_fsync} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
++@c Take aio_requests_mutex, set up waitlist and requestlist, wait
++@c for completion or timeout, and release the mutex.
+ When calling this function, the calling thread is suspended until at
+ least one of the requests pointed to by the @var{nent} elements of the
+ array @var{list} has completed.  If any of the requests has already
+@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+ This function is similar to @code{aio_suspend} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
+ @comment aio.h
+ @comment POSIX.1b
+ @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c After fcntl to check the fd is open, hold aio_requests_mutex, call
++@c aio_find_req_fd, aio_remove_request, then aio_notify and
++@c aio_free_request each request before releasing the lock.
++@c aio_notify calls aio_notify_only and free, besides cond signal or
++@c similar.  aio_notify_only calls pthread_attr_init,
++@c pthread_attr_setdetachstate, malloc, pthread_create,
++@c notify_func_wrapper, aio_sigqueue, getpid, raise.
++@c notify_func_wraper calls aio_start_notify_thread, free and then the
++@c notifier function.
+ The @code{aio_cancel} function can be used to cancel one or more
+ outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
+ function tries to cancel all of the outstanding requests which would process
+@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
+ @comment aio.h
+ @comment Unix98
+ @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
++@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+ This function is similar to @code{aio_cancel} with the only difference
+ that the argument is a reference to a variable of type @code{struct
+ aiocb64}.
+@@ -2529,6 +2774,8 @@ Unused.
+ @comment aio.h
+ @comment GNU
+ @deftypefun void aio_init (const struct aioinit *@var{init})
++@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
++@c All changes to global objects are guarded by aio_requests_mutex.
+ This function must be called before any other AIO function.  Calling it
+ is completely voluntary, as it is only meant to help the AIO
+ implementation perform better.
+@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
+ @comment fcntl.h
+ @comment POSIX.1
+ @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ The @code{fcntl} function performs the operation specified by
+ @var{command} on the file descriptor @var{filedes}.  Some commands
+ require additional arguments to be supplied.  These additional arguments
+@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int dup (int @var{old})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function copies descriptor @var{old} to the first available
+ descriptor number (the first number not currently open).  It is
+ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
+@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
+ @comment unistd.h
+ @comment POSIX.1
+ @deftypefun int dup2 (int @var{old}, int @var{new})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ This function copies the descriptor @var{old} to descriptor number
+ @var{new}.
+ 
+@@ -3631,6 +3881,7 @@ different headers.
+ @comment sys/ioctl.h
+ @comment BSD
+ @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
+ 
+ The @code{ioctl} function performs the generic I/O operation
+ @var{command} on @var{filedes}.
+@@ -3650,3 +3901,6 @@ unknown device.
+ Most IOCTLs are OS-specific and/or only used in special system utilities,
+ and are thus beyond the scope of this document.  For an example of the use
+ of an IOCTL, see @ref{Out-of-Band Data}.
++
++@c FIXME this is undocumented:
++@c dup3
+diff --git a/manual/locale.texi b/manual/locale.texi
+index 323268d..da50d18 100644
+--- a/manual/locale.texi
++++ b/manual/locale.texi
+@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
+ @comment locale.h
+ @comment ISO
+ @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+-@safety{@mtunsafe{uunguard}}
+-@c This function is MT-Safe, but uses of the global locale object are
+-@c unguarded in functions that ought to be MT-Safe, so we're ruling out
+-@c the use of this function once threads are started.
++@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
++@c Uses of the global locale object are unguarded in functions that
++@c ought to be MT-Safe, so we're ruling out the use of this function
++@c once threads are started.  It takes a write lock itself, but it may
++@c return a pointer loaded from the global locale object after releasing
++@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
++@c and free, and _nl_find_locale, which amount to all documented safety
++@c issues.  It also calls new_composite_name, setdata, and setname,
++@c without any additional issues.  _nl_find_locale calls getenv, ...
++This function returns a pointer read 
+ The function @code{setlocale} sets the current locale for category
+ @var{category} to @var{locale}.  A list of all the locales the system
+ provides can be created by running
+diff --git a/manual/resource.texi b/manual/resource.texi
+index 1ec7af2..71b08f7 100644
+--- a/manual/resource.texi
++++ b/manual/resource.texi
+@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
+ @comment sys/resource.h
+ @comment BSD
+ @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct syscall on most systems.
+ Read the current and maximum limits for the resource @var{resource}
+ and store them in @code{*@var{rlp}}.
+ 
+@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
+ @comment sys/resource.h
+ @comment Unix98
+ @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
+ This function is similar to @code{getrlimit} but its second parameter is
+ a pointer to a variable of type @code{struct rlimit64}, which allows it
+ to read values which wouldn't fit in the member of a @code{struct
+@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
+ @comment unistd.h
+ @comment BSD
+ @deftypefun int getpagesize (void)
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
++@c the exception, with the possibility of a syscall.
+ The @code{getpagesize} function returns the page size of the process.
+ This value is fixed for the runtime of the process but can vary in
+ different runs of the application.
+@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
+ @comment sys/sysinfo.h
+ @comment GNU
+ @deftypefun {long int} get_phys_pages (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
++@c This fopens a /proc file and scans it for the requested information.
+ The @code{get_phys_pages} function returns the total number of pages of
+ physical the system has.  To get the amount of memory this number has to
+ be multiplied by the page size.
+@@ -1569,6 +1578,7 @@ This function is a GNU extension.
+ @comment sys/sysinfo.h
+ @comment GNU
+ @deftypefun {long int} get_avphys_pages (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+ The @code{get_phys_pages} function returns the number of available pages of
+ physical the system has.  To get the amount of memory this number has to
+ be multiplied by the page size.
+@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
+ @comment sys/sysinfo.h
+ @comment GNU
+ @deftypefun int get_nprocs_conf (void)
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
++@c This function reads from from /sys using dir streams (single user, so
++@c no staticbuf MT-Safety issue), and on some arches, from /proc using
++@c streams.
+ The @code{get_nprocs_conf} function returns the number of processors the
+ operating system configured.
+ 
+@@ -1623,6 +1637,8 @@ This function is a GNU extension.
+ @comment sys/sysinfo.h
+ @comment GNU
+ @deftypefun int get_nprocs (void)
++@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
++@c This function reads from /proc using file descriptor I/O.
+ The @code{get_nprocs} function returns the number of available processors.
+ 
+ This function is a GNU extension.
+diff --git a/manual/search.texi b/manual/search.texi
+index efd3604..6910edc 100644
+--- a/manual/search.texi
++++ b/manual/search.texi
+@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
+ @comment stdlib.h
+ @comment ISO
+ @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
++@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
+ The @var{qsort} function sorts the array @var{array}.  The array contains
+ @var{count} elements, each of which is of size @var{size}.
+ 
+@@ -436,6 +437,11 @@ in the header file @file{search.h}.
+ @comment search.h
+ @comment SVID
+ @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
++@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
++@c The tree is not modified in a thread-safe manner, and rotations may
++@c leave the tree in an inconsistent state that could be observed in an
++@c asynchronous signal handler or after asynchronous cancellation of the
++@c thread performing the rotation or the insertion.
+ The @code{tsearch} function searches in the tree pointed to by
+ @code{*@var{rootp}} for an element matching @var{key}.  The function
+ pointed to by @var{compar} is used to determine whether two elements
+@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
+ @comment search.h
+ @comment SVID
+ @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+ The @code{tfind} function is similar to the @code{tsearch} function.  It
+ locates an element matching the one pointed to by @var{key} and returns
+ a pointer to this element.  But if no matching element is available no
+@@ -479,6 +486,7 @@ elements.
+ @comment search.h
+ @comment SVID
+ @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
++@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+ To remove a specific element matching @var{key} from the tree
+ @code{tdelete} can be used.  It locates the matching element using the
+ same method as @code{tfind}.  The corresponding element is then removed
+@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
+ @comment search.h
+ @comment GNU
+ @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
++@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+ If the complete search tree has to be removed one can use
+ @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
+ function to generate the tree pointed to by @var{vroot}.
+@@ -546,6 +555,7 @@ The current node is a leaf.
+ @comment search.h
+ @comment SVID
+ @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
++@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
+ For each node in the tree with a node pointed to by @var{root}, the
+ @code{twalk} function calls the function provided by the parameter
+ @var{action}.  For leaf nodes the function is called exactly once with
+diff --git a/manual/startup.texi b/manual/startup.texi
+index a277714..7bbaf13 100644
+--- a/manual/startup.texi
++++ b/manual/startup.texi
+@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
+ The difference to the @code{setenv} function is that the exact string
+ given as the parameter @var{string} is put into the environment.  If the
+ user should change the string after the @code{putenv} call this will
+-reflect in automatically in the environment.  This also requires that
+-@var{string} is no automatic variable which scope is left before the
++reflect automatically in the environment.  This also requires that
++@var{string} not be an automatic variable whose scope is left before the
+ variable is removed from the environment.  The same applies of course to
+ dynamically allocated variables which are freed later.
+ 
+diff --git a/manual/stdio.texi b/manual/stdio.texi
+index 7809dd4..79a3340 100644
+--- a/manual/stdio.texi
++++ b/manual/stdio.texi
+@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
+ @comment stdio.h
+ @comment ISO
+ @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+ @c fopen may leak the list lock if cancelled within _IO_link_in.
+ The @code{fopen} function opens a stream for I/O to the file
+ @var{filename}, and returns a pointer to the stream.
+@@ -267,7 +267,7 @@ Locks}.
+ @comment stdio.h
+ @comment Unix98
+ @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
+ This function is similar to @code{fopen} but the stream it returns a
+ pointer for is opened using @code{open64}.  Therefore this stream can be
+ used even on files larger then @math{2^31} bytes on 32 bit machines.
+@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
+ @comment stdio.h
+ @comment ISO
+ @deftypefun int fclose (FILE *@var{stream})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+ @c After fclose, it is undefined behavior to use the stream it points
+ @c to.  Therefore, one must only call fclose when the stream is
+ @c otherwise unused.  Concurrent uses started before will complete
+@@ -2662,6 +2662,42 @@ pointer @var{ap}.
+ @c case of cancellation.  This doesn't make it unsafe, but cancelling it
+ @c may leak memory.  The unguarded use of __printf_function_table is
+ @c also of concern for all callers.
++@c _itoa ok
++@c   _udiv_qrnnd_preinv ok
++@c group_number ok
++@c _i18n_number_rewrite
++@c   __wctrans ok
++@c   __towctrans glocale
++@c   __wcrtomb ok? dup below
++@c   outdigit_value ok
++@c   outdigitwc_value ok
++@c outchar ok
++@c outstring ok
++@c PAD ok
++@c __printf_fp glocale memleak
++@c __printf_fphex glocale
++@c __readonly_area
++@c   [GNU/Linux] fopen, strtoul, free
++@c __strerror_r ok if no translation, check otherwise
++@c __btowc ? gconv-modules
++@c __wcrtomb ok (not using internal state) gconv-modules
++@c ARGCHECK
++@c UNBUFFERED_P (tested before taking the stream lock)
++@c buffered_vfprintf ok
++@c __find_spec(wc|mb)
++@c read_int
++@c __libc_use_alloca
++@c process_arg
++@c process_string_arg
++@c extend_alloca
++@c __parse_one_spec(wc|mb)
++@c *__printf_arginfo_table unguarded
++@c __printf_va_arg_table-> unguarded
++@c *__printf_function_table unguarded
++@c done_add
++@c printf_unknown
++@c   outchar
++@c   _itoa_word
+ This is the equivalent of @code{fprintf} with the variable argument list
+ specified directly as for @code{vprintf}.
+ @end deftypefun
+@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+ @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+ @c bringing with it additional potential for async trouble with
+ @c list_all_lock.
+@@ -5076,7 +5112,7 @@ Got r
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+-@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
+ This function opens a stream for writing to a buffer.  The buffer is
+ allocated dynamically and grown as necessary, using @code{malloc}.
+ After you've closed the stream, this buffer is your responsibility to
+@@ -5192,7 +5228,7 @@ closed.
+ @comment stdio.h
+ @comment GNU
+ @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
++@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+ This function actually creates the stream for communicating with the
+ @var{cookie} using the functions in the @var{io-functions} argument.
+ The @var{opentype} argument is interpreted as for @code{fopen};
+diff --git a/manual/string.texi b/manual/string.texi
+index 246be84..a75d298 100644
+--- a/manual/string.texi
++++ b/manual/string.texi
+@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
+ @comment string.h
+ @comment GNU
+ @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
++@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
++@c Calls isdigit multiple times, locale may change in between.
+ The @code{strverscmp} function compares the string @var{s1} against
+ @var{s2}, considering them as holding indices/version numbers.  The
+ return value follows the same conventions as found in the
+@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
+ @comment string.h
+ @comment ISO
+ @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
++@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
++@c Adjust alphasort one safety info is determined.
+ The @code{strcoll} function is similar to @code{strcmp} but uses the
+ collating sequence of the current locale for collation (the
+ @code{LC_COLLATE} locale).
+diff --git a/manual/terminal.texi b/manual/terminal.texi
+index 9e9c057..7f62a4e 100644
+--- a/manual/terminal.texi
++++ b/manual/terminal.texi
+@@ -264,6 +264,9 @@ array.
+ @comment termios.h
+ @comment POSIX.1
+ @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Converting the kernel-returned termios data structure to the userland
++@c format does not ensure atomic or consistent writing.
+ This function is used to examine the attributes of the terminal
+ device with file descriptor @var{filedes}.  The attributes are returned
+ in the structure that @var{termios-p} points to.
+@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
+ @comment termios.h
+ @comment POSIX.1
+ @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
++@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
++@c Converting the incoming termios data structure to the kernel format
++@c does not ensure atomic or consistent reading.
+ This function sets the attributes of the terminal device with file
+ descriptor @var{filedes}.  The new attributes are taken from the
+ structure that @var{termios-p} points to.
+diff --git a/manual/threads.texi b/manual/threads.texi
+index a23ac26..19bfad6 100644
+--- a/manual/threads.texi
++++ b/manual/threads.texi
+@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
+ data destructors or even as members of the thread-specific data, since the
+ latter is passed as an argument to the destructor function.
+ 
++@c FIXME: use @deftypefun for these.
+ @item int pthread_key_delete (pthread_key_t @var{key})
+ Destroy the thread-specific data @var{key} in the calling thread.  The
+ destructor for the thread-specific data is not called during destruction, nor
+@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
+ The system does not have sufficient memory.
+ @end table
+ @end deftypefun
++
++@c FIXME these are undocumented:
++@c pthread_atfork
++@c pthread_attr_destroy
++@c pthread_attr_getaffinity_np
++@c pthread_attr_getdetachstate
++@c pthread_attr_getguardsize
++@c pthread_attr_getinheritsched
++@c pthread_attr_getschedparam
++@c pthread_attr_getschedpolicy
++@c pthread_attr_getscope
++@c pthread_attr_getstack
++@c pthread_attr_getstackaddr
++@c pthread_attr_getstacksize
++@c pthread_attr_init
++@c pthread_attr_setaffinity_np
++@c pthread_attr_setdetachstate
++@c pthread_attr_setguardsize
++@c pthread_attr_setinheritsched
++@c pthread_attr_setschedparam
++@c pthread_attr_setschedpolicy
++@c pthread_attr_setscope
++@c pthread_attr_setstack
++@c pthread_attr_setstackaddr
++@c pthread_attr_setstacksize
++@c pthread_barrierattr_destroy
++@c pthread_barrierattr_getpshared
++@c pthread_barrierattr_init
++@c pthread_barrierattr_setpshared
++@c pthread_barrier_destroy
++@c pthread_barrier_init
++@c pthread_barrier_wait
++@c pthread_cancel
++@c pthread_cleanup_push
++@c pthread_cleanup_pop
++@c pthread_condattr_destroy
++@c pthread_condattr_getclock
++@c pthread_condattr_getpshared
++@c pthread_condattr_init
++@c pthread_condattr_setclock
++@c pthread_condattr_setpshared
++@c pthread_cond_broadcast
++@c pthread_cond_destroy
++@c pthread_cond_init
++@c pthread_cond_signal
++@c pthread_cond_timedwait
++@c pthread_cond_wait
++@c pthread_create
++@c pthread_detach
++@c pthread_equal
++@c pthread_exit
++@c pthread_getaffinity_np
++@c pthread_getattr_np
++@c pthread_getconcurrency
++@c pthread_getcpuclockid
++@c pthread_getname_np
++@c pthread_getschedparam
++@c pthread_join
++@c pthread_kill
++@c pthread_kill_other_threads_np
++@c pthread_mutexattr_destroy
++@c pthread_mutexattr_getkind_np
++@c pthread_mutexattr_getprioceiling
++@c pthread_mutexattr_getprotocol
++@c pthread_mutexattr_getpshared
++@c pthread_mutexattr_getrobust
++@c pthread_mutexattr_getrobust_np
++@c pthread_mutexattr_gettype
++@c pthread_mutexattr_init
++@c pthread_mutexattr_setkind_np
++@c pthread_mutexattr_setprioceiling
++@c pthread_mutexattr_setprotocol
++@c pthread_mutexattr_setpshared
++@c pthread_mutexattr_setrobust
++@c pthread_mutexattr_setrobust_np
++@c pthread_mutexattr_settype
++@c pthread_mutex_consistent
++@c pthread_mutex_consistent_np
++@c pthread_mutex_destroy
++@c pthread_mutex_getprioceiling
++@c pthread_mutex_init
++@c pthread_mutex_lock
++@c pthread_mutex_setprioceiling
++@c pthread_mutex_timedlock
++@c pthread_mutex_trylock
++@c pthread_mutex_unlock
++@c pthread_once
++@c pthread_rwlockattr_destroy
++@c pthread_rwlockattr_getkind_np
++@c pthread_rwlockattr_getpshared
++@c pthread_rwlockattr_init
++@c pthread_rwlockattr_setkind_np
++@c pthread_rwlockattr_setpshared
++@c pthread_rwlock_destroy
++@c pthread_rwlock_init
++@c pthread_rwlock_rdlock
++@c pthread_rwlock_timedrdlock
++@c pthread_rwlock_timedwrlock
++@c pthread_rwlock_tryrdlock
++@c pthread_rwlock_trywrlock
++@c pthread_rwlock_unlock
++@c pthread_rwlock_wrlock
++@c pthread_self
++@c pthread_setaffinity_np
++@c pthread_setcancelstate
++@c pthread_setcanceltype
++@c pthread_setconcurrency
++@c pthread_setname_np
++@c pthread_setschedparam
++@c pthread_setschedprio
++@c pthread_sigmask
++@c pthread_sigqueue
++@c pthread_spin_destroy
++@c pthread_spin_init
++@c pthread_spin_lock
++@c pthread_spin_trylock
++@c pthread_spin_unlock
++@c pthread_testcancel
++@c pthread_timedjoin_np
++@c pthread_tryjoin_np
++@c pthread_yield
+diff --git a/manual/time.texi b/manual/time.texi
+index ff31e28..3967b24 100644
+--- a/manual/time.texi
++++ b/manual/time.texi
+@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
+ @comment sys/time.h
+ @comment BSD
+ @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
++@safety{@mtsafe{}@assafe{}@acsafe{}}
++@c On most GNU/Linux systems this is a direct syscall, but the posix/
++@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
++@c localtime_r, saving and restoring tzname in an unsafe manner.
++@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
++@c for vdso resolution.  ifunc-vdso-revisit.
+ The @code{gettimeofday} function returns the current calendar time as
+ the elapsed time since the epoch in the @code{struct timeval} structure
+ indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of
diff --git a/patches/manual-document-mt-safety.patch b/patches/manual-document-mt-safety.patch
new file mode 100644
index 0000000..09977f1
--- /dev/null
+++ b/patches/manual-document-mt-safety.patch
@@ -0,0 +1,386 @@
+Bottom: 13f15f706fb1ff430a99cba2788b2c38389fb60e
+Top:    4efc67610afbdb4ae5fe31b2b904569f7a82116e
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-06-26 10:46:35 -0300
+
+Thread safety documentation.
+
+for  ChangeLog
+
+	* manual/macros.texi: Introduce macros to document thread
+	safety properties.
+	* manual/intro.texi: Introduce the properties themselves.
+
+
+---
+
+diff --git a/manual/intro.texi b/manual/intro.texi
+index deaf089..2630a77 100644
+--- a/manual/intro.texi
++++ b/manual/intro.texi
+@@ -172,6 +172,314 @@ pattern matching facilities (@pxref{Pattern Matching}).
+ @comment <wordexp.h> (not yet implemented)
+ @comment confstr
+ 
++The safety properties of @glibcadj{} functions, documented as MT-, AS-
++and AC- -Safe and -Unsafe are assessed according to the criteria set
++forth in the POSIX standard for Multi-Thread, Async-Signal and
++Async-Cancel safety.
++
++Intuitive definition of these properties, that attempt to capture
++the meaning of the standard definitions, follow:
++
++@itemize @bullet
++
++@item 
++@cindex MT-Safe
++MT-Safe functions are safe to call in the presence of other threads.  MT
++stands for Multi Thread.
++
++@item 
++@cindex AS-Safe
++AS-Safe functions are safe to call from asynchronous signal handlers.
++AS stands for Asynchronous Signal.
++
++@item
++@cindex AC-Safe
++AC-Safe functions are safe to call when asynchronous cancellation is
++enabled.  AC stands for Asynchronous Cancellation.
++
++@item 
++@cindex MT-Unsafe
++@cindex AS-Unsafe
++@cindex AC-Unsafe
++MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
++the contexts described above: they may cause deviations from the
++specification in the behavior of the calls themselves, or of any other
++concurrent, ongoing or subsequent calls.
++
++Functions not explicitly documented as Safe should be regarded as
++Unsafe.
++
++@end itemize
++
++By ``safe to call'', we mean that, as long as the program does not
++invoke undefined or unspecified behavior, the called functions will
++behave as documented, and they won't cause any other functions to
++deviate from their documented behavior.
++
++Although we strive to abide by the standards, in some cases our
++implementation is safe even when the standard does not demand safety,
++and in other cases our implementation does not meet the standard safety
++requirements.  At this point, we document the result of an assessment of
++the properties of our implementation, so the safety documentation in
++this manual is not to be regarded as a promise of future behavior: in
++future releases, functions that are documented as safe may become
++unsafe, and safety constraints may be removed or introduced.  We
++envision turning the results of the assessment into a set of promises as
++stable as our interfaces, but we're not there yet.
++
++When a function is safe to call only under certain constraints, we will
++add keywords to the safety notes whose meanings are defined as follows:
++
++@itemize @bullet
++
++@c glocale-revisit
++@item @code{glocale}
++@cindex glocale
++
++In threads that have not overridden the thread-local locale object by
++calling @code{uselocale}, calling functions annotated with
++@code{glocale} concurrently with @code{setlocale} may cause the
++functions to behave in ways that don't correspond to either the previous
++or the subsequent global locale.
++
++Although the @code{setlocale} function modifies the global locale object
++while holding a lock, @code{glocale}-annotated functions may access this
++global object multiple times, without any measures to ensure it doesn't
++change while it's in use.
++
++Each of these unprotected uses will use either the previous or the
++subsequent locale information, so they won't cause crashes or access to
++uninitialized, unmapped or recycled memory.  However, since some cases
++use cached locale information while others access the effective locale
++object anew, concurrent changes to the global locale object may cause
++these functions to behave in ways that they could not behave should the
++execution of @code{setlocale} and of the so-annotated functions be
++atomic, or even should @code{setlocale} alone be atomic.
++
++The @code{glocale} constraint indicates functions are only safe to call
++if the effective thread-local locale is not the global locale object
++(because it was overridden with @code{uselocale}).  Failing that,
++@code{setlocale} should not be called while these functions are active.
++
++
++@item @code{uunguard}
++@cindex uunguard
++
++Functions marked with @code{uunguard} modify non-atomically arguments or
++global objects that other functions access without synchronization.  To
++ensure MT- and AS-Safe behavior, callers should refrain from calling
++so-marked functions concurrently with users of the corresponding
++objects.
++
++Unguarded users of the global locale object modified by @code{setlocale}
++are marked with @code{glocale}.
++
++Unguarded users of the @code{printf} extension objects modified by
++@code{register_printf_function} are the entire family of printf
++functions.
++
++Unguarded users of streams configured with @code{__fsetlocking} for
++locking by the caller are the entire family of stdio functions.
++
++
++@item @code{xguargs}
++@cindex xguargs
++
++Functions marked with @code{xguargs} may use or modify objects passed as
++arguments without any guards to ensure consistency.  To ensure MT- and
++AS-Safe behavior, callers must ensure that the objects passed in are not
++modified concurrently by other threads or signal handlers.
++
++
++@end itemize
++
++
++Additional safety issues that cannot be worked around by constraining
++the program are also documented with keywords, whose meaning is defined
++as follows:
++
++@itemize @bullet
++
++@item @code{staticbuf}
++@cindex staticbuf
++
++Functions annotated with @code{staticbuf} use internal static buffers or
++variables in ways that may cause concurrent calls to interfere
++destructively.
++
++These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
++offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
++
++
++@item @code{fdleak}
++@cindex fdleak
++
++Functions annotated with @code{fdleak} may leak file descriptors if
++asynchronous thread cancellation interrupts their execution.
++
++Functions that allocate or deallocate file descriptors will generally be
++marked as such, because even if they attempted to protect the file
++descriptor allocation and deallocation with cleanup regions, allocating
++a new descriptor and storing its number where the cleanup region could
++release it cannot be performed as a single atomic operation, just like
++releasing it and taking it out of the data structure normally
++responsible for releasing it cannot be performed atomically, always
++leaving a window in which the descriptor cannot be released because it
++wasn't stored in the cleanup handler argument yet, or in which it was
++already taken out of it before releasing it in the normal flow (we
++cannot keep it there because, in case of cancellation, we wouldn't be
++able to tell whether it was already released, and the same number could
++have been already assigned to another descriptor by another thread, so
++we couldn't just release it again).
++
++Such leaks could be internally avoided, with some performance penalty,
++by temporarily disabling asynchronous thread cancellation.  However,
++since callers of allocation or deallocation functions would have to do
++this themselves, to avoid the same sort of leak in their own layer, it
++makes more sense for the library to assume they are taking care of it
++than to impose a performance penalty that is redundant when the problem
++is solved in upper layers, and insufficient when it isn't.
++
++This remark by itself does not cause a function to be regarded as
++AC-Unsafe.  However, cummulative effects of such leaks may pose a
++problem for some programs.  If this is the case, suspending asynchronous
++cancellation for the duration of calls to such functions is recommended.
++
++
++@item @code{memleak}
++@cindex memleak
++
++Functions annotated with @code{memleak} may leak memory if asynchronous
++thread cancellation interrupts their execution.
++
++The problem is similar to that of file descriptors: there is no atomic
++interface to allocate memory and store its address in the argument to a
++cleanup handler, or to release it and remove its address from that
++argument, without at least temporarily disabling asynchronous
++cancellation, which these functions do not do.
++
++This remark does not by itself cause a function to be regarded as
++generally AC-Unsafe.  However, cummulative effects of such leaks may be
++severe enough for some programs that disabling asynchronous cancellation
++for the duration of calls to such functions may be required.
++
++
++@item @code{lockleak}
++@cindex lockleak
++
++Functions annotated with @code{lockleak} may leak locks if asynchronous
++thread cancellation interrupts their execution.
++
++While the problem is similar to that of file descriptors, in that there
++is not any atomic interface to lock and take note of the need for
++unlocking in a cleanup, or to unlock and take note that there is no
++longer such a need, the problem posed by lock leaks is far more serious:
++when a file descriptor or a piece of memory is leaked, it becomes
++inaccessible and subsequent attempts to allocate a file descriptor or
++some memory will just use another resource.  However, once a lock is
++left taken, attempts to take that lock will block indefinitely.
++(Recursive locks will only block other threads, and read locks will only
++block writer threads, but the point still holds in general).
++
++For the reasons above, functions that leak locks are all AC-Unsafe.
++
++
++@item @code{selfdeadlock}
++@cindex selfdeadlock
++
++Functions marked with @code{selfdeadlock} take a non-recursive lock to
++ensure MT-Safety while modifying data structures guarded by the lock.
++
++If such a function is interrupted by a signal while holding the lock,
++and the signal handler calls any function that takes the same
++non-recursive lock, the result is a deadlock.
++
++Blocking asynchronous signal delivery while calling such functions is
++the only safe way to avoid a deadlock if any signal handler might need
++to call them.
++
++
++@item @code{asynconsist}
++@cindex asynconsist
++
++Functions marked with @code{asynconsist} take a recursive lock to ensure
++MT-Safety while accessing or modifying data structures guarded by the
++lock.
++
++If such a function is interrupted by a signal while holding the lock,
++and the signal handler calls any function that takes the same
++non-recursive lock, the latter function may observe a partially updated,
++inconsistent data structure, and misbehave.
++
++Blocking asynchronous signal delivery while calling such functions is
++the only safe way to avoid the misbehavior that may ensue if any signal
++handler might need to call them.
++
++
++@item @code{asmalloc}
++@cindex asmalloc
++
++This is a sub-case of @code{asynconsist}.  Functions marked with
++@code{asmalloc} perform memory allocation or deallocation with the
++@code{malloc}/@code{free} family of functions.
++
++If heap management functions are interrupted by asynchronous signals,
++and the signal handlers attempt to perform memory allocation or
++deallocation of their own, they may encounter heap data structures in a
++partially updated state, and the interrupted calls may malfunction
++because of the changes made within the signal handler.
++
++
++@item @code{incansist}
++@cindex incansist
++
++Functions marked with @code{incansist} modify data structures in a
++non-atomic way.
++
++If such a function is asynchronously canceled, it may leave the data
++structure in a partially updated, inconsistent state.  Subsequent uses
++of the data structure may misbehave.
++
++Disabling asynchronous cancelation while calling such functions is the
++only safe way to avoid the misbehavior that may ensure if the thread is
++canceled while the function is running.
++
++
++@item @code{simfpu}
++@cindex simfpu
++
++Functions annotated with @code{simfpu} may misbehave on powerpc ports in
++which the floating-point unit is disabled and floating point simulation
++is used instead.  On such platforms, @theglibc{} uses global variables
++to hold floating-point exceptions, rounding modes and disabled
++exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
++
++Furthermore, even if this bug is fixed, the emulation of floating-point
++control and status registers will not go as far as saving and restoring
++these emulated registers across asynchronous signal handlers.  Indeed,
++although most platforms preserve floating-point context as part of the
++thread context, preserving control and status words is not mandatory:
++standards recommend that programs that modify them within signal
++handlers restore them to the original state before returning.
++
++This note does not cause functions to be marked as MT-Unsafe, even
++though, on the affected platform, they are MT-Unsafe indeed.
++
++
++@item @code{unposix}
++@cindex unposix
++
++This remark indicates our safety documentation is known to differ from
++the requirements set by the POSIX standard.  For example, POSIX does not
++require a function to be Safe, but our implementation is Safe, or
++vice-versa.
++
++For the time being, the absence of this remark does not imply the safety
++propertes we documentated are identical to those mandated by POSIX for
++the corresponding functions.
++
++@end itemize
++
+ 
+ @node Berkeley Unix, SVID, POSIX, Standards and Portability
+ @subsection Berkeley Unix
+diff --git a/manual/macros.texi b/manual/macros.texi
+index daaf1c0..6955f32 100644
+--- a/manual/macros.texi
++++ b/manual/macros.texi
+@@ -47,4 +47,46 @@ GNU/Hurd systems
+ GNU/Linux systems
+ @end macro
+ 
++@c Document a function as thread safe.
++@macro mtsafe {comments}
++| MT-Safe \comments\
++|
++@end macro
++@c Document a function as thread unsafe.
++@macro mtunsafe {comments}
++| MT-Unsafe \comments\
++|
++@end macro
++@c Document a function as safe for use in asynchronous signal handlers.
++@macro assafe {comments}
++| AS-Safe \comments\
++|
++@end macro
++@c Document a function as unsafe for use in asynchronous signal
++@c handlers.  This distinguishes unmarked functions, for which this
++@c property has not been assessed, from those that have been analyzed.
++@macro asunsafe {comments}
++| AS-Unsafe \comments\
++|
++@end macro
++@c Document a function as safe for use when asynchronous cancellation is
++@c enabled.
++@macro acsafe {comments}
++| AC-Safe \comments\
++|
++@end macro
++@c Document a function as unsafe for use when asynchronous cancellation
++@c is enabled.  This distinguishes unmarked functions, for which this
++@c property has not been assessed, from those that have been analyzed.
++@macro acunsafe {comments}
++| AC-Unsafe \comments\
++|
++@end macro
++@c Format the thread and async safety properties of a function.
++@macro safety {notes}
++\notes\
++
++
++@end macro
++
+ @end ifclear
diff --git a/patches/powerpc-nofpu-sim-note-nothread.patch b/patches/powerpc-nofpu-sim-note-nothread.patch
new file mode 100644
index 0000000..fb9723a
--- /dev/null
+++ b/patches/powerpc-nofpu-sim-note-nothread.patch
@@ -0,0 +1,67 @@
+Bottom: 4efc67610afbdb4ae5fe31b2b904569f7a82116e
+Top:    83a97471a9f798dbf70f921529bea532c0632478
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-06-26 10:46:36 -0300
+
+Note that powerpc fpu emulation status is not thread- or signal-safe.
+
+for  ports/ChangeLog.powerpc
+
+	PR 15483
+	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
+	the need for thread-specific variables preserved across signal
+	handlers.
+	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
+	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.
+
+
+---
+
+diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
+index fc061d0..e167033 100644
+--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
++++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
+@@ -21,6 +21,11 @@
+ #include "soft-fp.h"
+ #include "soft-supp.h"
+ 
++/* FIXME: these variables should be thread specific (see bugzilla bug
++   15483) and ideally preserved across signal handlers, like hardware
++   FP status words, but the latter is quite difficult to accomplish in
++   userland.  */
++
+ /* Global to store sticky exceptions.  */
+ int __sim_exceptions __attribute__ ((nocommon));
+ libc_hidden_data_def (__sim_exceptions);
+diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
+index b9638bb..64a3d2a 100644
+--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
++++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
+@@ -26,6 +26,11 @@ typedef union
+ } fenv_union_t;
+ 
+ 
++/* FIXME: these variables should be thread specific (see bugzilla bug
++   15483) and ideally preserved across signal handlers, like hardware
++   FP status words, but the latter is quite difficult to accomplish in
++   userland.  */
++
+ extern int __sim_exceptions;
+ libc_hidden_proto (__sim_exceptions);
+ extern int __sim_disabled_exceptions;
+diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+index c2a190e..508d869 100644
+--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
++++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+@@ -54,6 +54,11 @@
+ #define FP_ROUNDMODE          __sim_round_mode
+ #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
+ 
++/* FIXME: these variables should be thread specific (see bugzilla bug
++   15483) and ideally preserved across signal handlers, like hardware
++   FP status words, but the latter is quite difficult to accomplish in
++   userland.  */
++
+ extern int __sim_exceptions;
+ libc_hidden_proto (__sim_exceptions);
+ extern int __sim_disabled_exceptions;
diff --git a/patches/unused-scalb-is-scalbn.patch b/patches/unused-scalb-is-scalbn.patch
new file mode 100644
index 0000000..2e01b9a
--- /dev/null
+++ b/patches/unused-scalb-is-scalbn.patch
@@ -0,0 +1,75 @@
+Bottom: 83a97471a9f798dbf70f921529bea532c0632478
+Top:    58842960ffbf63afb50845d77d86b584785bfb5d
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   2013-06-26 10:46:37 -0300
+
+Rename unused scalb to scalbn to match prototype.
+
+for  ChangeLog
+
+	* sysdeps/ieee754/support.c (scalbn): Rename from
+	wrongly-typed scalb.  Adjust all callers.  Apparently unused.
+
+
+---
+
+diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
+index 00476c0..0bbd892f 100644
+--- a/sysdeps/ieee754/support.c
++++ b/sysdeps/ieee754/support.c
+@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
+     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
+ #endif	/* defined(vax)||defined(tahoe) */
+ 
+-double scalb(x,N)
++double scalbn(x,N)
+ double x; int N;
+ {
+         int k;
+@@ -106,7 +106,7 @@ double x; int N;
+         if( (k= *px & mexp ) != mexp ) {
+             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
+             if( k == 0 ) {
+-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
++                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
+ #endif	/* defined(vax)||defined(tahoe) */
+ 
+             if((k = (k>>gap)+ N) > 0 )
+@@ -115,7 +115,7 @@ double x; int N;
+             else
+                 if( k > -prep1 )
+                                         /* gradual underflow */
+-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
++                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
+                 else
+                 return(nunf*nunf);
+             }
+@@ -228,7 +228,7 @@ double x,p;
+ 
+         else  if ( ((*pp & mexp)>>gap) <= 1 )
+                 /* subnormal p, or almost subnormal p */
+-            { double b; b=scalb(1.0,(int)prep1);
++            { double b; b=scalbn(1.0,(int)prep1);
+               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
+         else  if ( p >= novf/2)
+             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
+@@ -294,8 +294,8 @@ double x;
+ 
+     /* scale x to [1,4) */
+         n=logb(x);
+-        x=scalb(x,-n);
+-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
++        x=scalbn(x,-n);
++        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
+         m += n;
+         n = m/2;
+         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
+@@ -326,7 +326,7 @@ double x;
+                 b=1.0+r/4;   if(b>1.0) t=1;
+                 if(t>=0) q+=r; }
+ 
+-end:        return(scalb(q,n));
++end:        return(scalbn(q,n));
+ }
+ 
+ #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=08d66cf64dcb2bce1a99e163cd4941e2c77b4a37

commit 08d66cf64dcb2bce1a99e163cd4941e2c77b4a37
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:48 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/???.texi: Document thread safety properties.

diff --git a/manual/argp.texi b/manual/argp.texi
index c9fbe97..5322f91 100644
--- a/manual/argp.texi
+++ b/manual/argp.texi
@@ -36,6 +36,35 @@ needed in @code{main}.
 @comment argp.h
 @comment GNU
 @deftypefun {error_t} argp_parse (const struct argp *@var{argp}, int @var{argc}, char **@var{argv}, unsigned @var{flags}, int *@var{arg_index}, void *@var{input})
+@safety{@mtunsafe{xguargs, envromt}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Optionally alloca()tes standard help options, initializes the parser,
+@c then parses individual args in a loop, and then finalizes.
+@c  parser_init
+@c   calc_sizes ok
+@c    option_is_end ok
+@c   malloc
+@c   parser_convert glocale
+@c    convert_options glocale
+@c     option_is_end ok
+@c     option_is_short ok
+@c      isprint, but locale may change within the loop
+@c     find_long_option ok
+@c   group_parse
+@c    group->parser (from argp->parser)
+@c  parser_parse_next
+@c   getopt_long(_only)_r many issues, same as non_r minus staticbuf
+@c   parser_parse_arg
+@c    group_parse
+@c   parser_parse_opt
+@c    group_parse
+@c    argp_error
+@c    dgettext (bad key error)
+@c  parser_finalize
+@c   group_parse
+@c   fprintf
+@c   dgettext
+@c   arg_state_help
+@c   free
 The @code{argp_parse} function parses the arguments in @var{argv}, of
 length @var{argc}, using the argp parser @var{argp}.  @xref{Argp
 Parsers}.  Passing a null pointer for @var{argp} is the same as using
@@ -660,6 +689,8 @@ parser function.  @xref{Argp Parsing State}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_usage (const struct argp_state *@var{state})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls argp_state_help with stderr and ARGP_HELP_STD_USAGE.
 Outputs the standard usage message for the argp parser referred to by
 @var{state} to @code{@var{state}->err_stream} and terminate the program
 with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
@@ -669,6 +700,13 @@ with @code{exit (argp_err_exit_status)}.  @xref{Argp Global Variables}.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_error (const struct argp_state *@var{state}, const char *@var{fmt}, @dots{})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Lock stream, vasprintf the formatted message into a buffer, print the
+@c buffer prefixed by the short program name (in libc,
+@c argp_short_program_name is a macro that expands to
+@c program_invocation_short_name), releases the buffer, then call
+@c argp_state_help with stream and ARGP_HELP_STD_ERR, unlocking the
+@c stream at the end.
 Prints the printf format string @var{fmt} and following args, preceded
 by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 --help}} message, and terminates the program with an exit status of
@@ -679,6 +717,12 @@ by the program name and @samp{:}, and followed by a @w{@samp{Try @dots{}
 @comment argp.h
 @comment GNU
 @deftypefun void argp_failure (const struct argp_state *@var{state}, int @var{status}, int @var{errnum}, const char *@var{fmt}, @dots{})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc}@acunsafe{lockleak, incansist, memleak}}
+@c Lock stream, write out the short program name, vasprintf the optional
+@c formatted message to a buffer, print the buffer prefixed by colon and
+@c blank, release the buffer, call strerror_r with an automatic buffer,
+@c print it out after colon and blank, put[w]c a line break, unlock the
+@c stream, then exit unless ARGP_NO_EXIT.
 Similar to the standard gnu error-reporting function @code{error}, this
 prints the program name and @samp{:}, the printf format string
 @var{fmt}, and the appropriate following args.  If it is non-zero, the
@@ -695,6 +739,141 @@ for options, bad phase of the moon, etc.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_state_help (const struct argp_state *@var{state}, FILE *@var{stream}, unsigned @var{flags})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help with the short program name and optionally exit.
+@c The main problems in _help, besides the usual issues with stream I/O
+@c and translation, are the use of a static buffer (uparams) that makes
+@c the whole thing thread-unsafe, reading from the environment for
+@c ARGP_HELP_FMT, accessing the locale object multiple times.
+
+@c _help envromt, staticbuf (uparams), glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c  dgettext asi18n
+@c  flockfile lockleak
+@c  funlockfile lockleak
+@c  fill_in_uparams envromt, staticbuf (uparams), glocale, asynconsist, asmalloc, lockleak, incansist, memleak
+@c   argp_failure dup (status = errnum = 0)
+@c   atoi dup
+@c  argp_hol asmalloc, memleak
+@c   make_hol asmalloc, memleak
+@c   hol_add_cluster asmalloc, memleak
+@c   hol_append asmalloc, memleak
+@c  hol_set_group ok
+@c   hol_find_entry ok
+@c  hol_sort glocale, asmalloc, memleak
+@c   qsort asmalloc, memleak
+@c    hol_entry_qcmp glocale
+@c     hol_entry_cmp glocale
+@c      group_cmp ok
+@c      hol_cluster_cmp ok
+@c       group_cmp ok
+@c      hol_entry_first_short glocale
+@c       hol_entry_short_iterate [glocale]
+@c        until_short ok
+@c         oshort ok
+@c          isprint ok
+@c      odoc ok
+@c      hol_entry_first_long ok
+@c      canon_doc_option glocale
+@c      tolower dup
+@c  hol_usage glocale, asi18n, asmalloc, memleak
+@c   hol_entry_short_iterate ok
+@c    add_argless_short_opt ok
+@c   argp_fmtstream_printf dup
+@c   hol_entry_short_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_argful_short_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c   hol_entry_long_iterate glocale, asi18n, asmalloc, memleak
+@c    usage_long_opt glocale, asi18n, asmalloc, memleak
+@c     dgettext dup
+@c     argp_fmtstream_printf dup
+@c  hol_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   hol_entry_help glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_set_lmargin dup
+@c    argp_fmtstream_wmargin dup
+@c    argp_fmtstream_set_wmargin dup
+@c    comma glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_putc dup
+@c     hol_cluster_is_child ok
+@c     argp_fmtstream_wmargin dup
+@c     print_header dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     indent_to dup
+@c    argp_fmtstream_putc dup
+@c    arg glocale, asmalloc, memleak
+@c     argp_fmtstream_printf dup
+@c    odoc dup
+@c    argp_fmtstream_puts dup
+@c    argp_fmtstream_printf dup
+@c    print_header glocale, staticbuf (uparams), asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c     dgettext dup
+@c     filter_doc dup
+@c     argp_fmtstream_putc dup
+@c     indent_to dup
+@c     argp_fmtstream_set_lmargin dup
+@c     argp_fmtstream_set_wmargin dup
+@c     argp_fmtstream_puts dup
+@c     free dup
+@c    filter_doc dup
+@c    argp_fmtstream_point dup
+@c    indent_to glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_point dup
+@c     argp_fmtstream_putc dup
+@c   dgettext dup
+@c   filter_doc dup
+@c   argp_fmtstream_putc dup
+@c   argp_fmtstream_puts dup
+@c   free dup
+@c  hol_free asmalloc, memleak
+@c   free dup
+@c  argp_args_levels ok
+@c  argp_args_usage glocale, asi18n, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   dgettext dup
+@c   filter_doc ok
+@c    argp_input ok
+@c    argp->help_filter
+@c   space glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_point dup
+@c    argp_fmtstream_rmargin glocale, asynconsist, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c    argp_fmtstream_putc dup
+@c   argp_fmtstream_write dup
+@c   free dup
+@c  argp_doc glocale, asmalloc, asi18n, asynconsist, memleak, incansist, lockleak
+@c   dgettext asi18n
+@c   strndup asmalloc, memleak
+@c   argp_input dup
+@c   argp->help_filter
+@c   argp_fmtstream_putc glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure dup
+@c   argp_fmtstream_write dup
+@c   argp_fmtstream_puts dup
+@c   argp_fmtstream_point glocale, asynconsist, incansist, lockleak
+@c    argp_fmtstream_update dup
+@c   argp_fmtstream_lmargin dup
+@c   free dup
+@c  argp_make_fmtstream asmalloc, memleak
+@c  argp_fmtstream_free glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_update glocale, asynconsist, incansist, lockleak
+@c    put[w]c_unlocked dup
+@c    isblank in loop glocale
+@c    fxprintf lockleak
+@c   fxprintf lockleak
+@c   free dup
+@c  argp_fmtstream_set_wmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_printf glocale, asmalloc, memleak
+@c   argp_fmtstream_ensure dup
+@c   vsnprintf dup
+@c  argp_fmtstream_set_lmargin glocale, asynconsist, incansist, lockleak
+@c   argp_fmtstream_update dup
+@c  argp_fmtstream_puts glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c   argp_fmtstream_write glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c    argp_fmtstream_ensure glocale, asmalloc, asynconsist, memleak, incansist, lockleak
+@c     argp_fmtstream_update dup
+@c     fxprintf lockleak
+@c     realloc asmalloc, memleak
 Outputs a help message for the argp parser referred to by @var{state},
 to @var{stream}.  The @var{flags} argument determines what sort of help
 message is produced.  @xref{Argp Help Flags}.
@@ -928,6 +1107,8 @@ program options, argp offers the @code{argp_help} interface.
 @comment argp.h
 @comment GNU
 @deftypefun void argp_help (const struct argp *@var{argp}, FILE *@var{stream}, unsigned @var{flags}, char *@var{name})
+@safety{@mtunsafe{staticbuf, envromt, glocale}@asunsafe{asmalloc, asi18n, asynconsist}@acunsafe{memleak, incansist, lockleak}}
+@c Just calls _help.  
 This outputs a help message for the argp parser @var{argp} to
 @var{stream}.  The type of messages printed will be determined by
 @var{flags}.
diff --git a/manual/arith.texi b/manual/arith.texi
index 833e0c9..5c3aa9d 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -323,6 +323,7 @@ floating-point number a variable holds.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int fpclassify (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is a generic macro which works on all floating-point types and
 which returns a value of type @code{int}.  The possible values are:
 
@@ -359,6 +360,7 @@ You should therefore use the specific macros whenever possible.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isfinite (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite: not plus or
 minus infinity, and not NaN.  It is equivalent to
 
@@ -373,6 +375,7 @@ floating-point type.
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnormal (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is finite and normalized.
 It is equivalent to
 
@@ -384,6 +387,7 @@ It is equivalent to
 @comment math.h
 @comment ISO
 @deftypefn {Macro} int isnan (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is NaN.  It is equivalent
 to
 
@@ -395,6 +399,7 @@ to
 @comment math.h
 @comment GNU
 @deftypefn {Macro} int issignaling (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value if @var{x} is a signaling NaN
 (sNaN).  It is based on draft TS 18661 and currently enabled as a GNU
 extension.
@@ -2443,6 +2448,32 @@ as well.
 @safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
 @c mpn, but it's all safe.
+@c
+@c round_and_return
+@c   get_rounding_mode ok
+@c   mpn_add_1 ok
+@c   mpn_rshift ok
+@c   MPN_ZERO ok
+@c   MPN2FLOAT -> mpn_construct_(float|double|long_double) ok
+@c str_to_mpn
+@c   mpn_mul_1 -> umul_ppmm ok
+@c   mpn_add_1 ok
+@c mpn_lshift_1 -> mpn_lshift ok
+@c STRTOF_INTERNAL
+@c   MPN_VAR ok
+@c   SET_MANTISSA ok
+@c   STRNCASECMP ok, wide and narrow
+@c   round_and_return ok
+@c   mpn_mul ok
+@c     mpn_addmul_1 ok
+@c     ... mpn_sub
+@c   mpn_lshift ok
+@c   udiv_qrnnd ok
+@c   count_leading_zeros ok
+@c   add_ssaaaa ok
+@c   sub_ddmmss ok
+@c   umul_ppmm ok
+@c   mpn_submul_1 ok
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
diff --git a/manual/charset.texi b/manual/charset.texi
index e21502e..7e6c416 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -504,6 +504,8 @@ sequence points.  Communication protocols often require this.
 @comment wchar.h
 @comment ISO
 @deftypefun int mbsinit (const mbstate_t *@var{ps})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c ps is dereferenced once, unguarded.  Potential harmless data race.
 The @code{mbsinit} function determines whether the state object pointed
 to by @var{ps} is in the initial state.  If @var{ps} is a null pointer or
 the object is in the initial state the return value is nonzero.  Otherwise
@@ -559,6 +561,14 @@ that is beyond the range @math{0} to @math{127}.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t btowc (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls btowc_fct or __fct; reads from locale, and from the
+@c get_gconv_fcts result multiple times.  get_gconv_fcts calls
+@c __wcsmbs_load_conv to initialize the ctype if it's null.
+@c wcsmbs_load_conv takes a non-recursive wrlock before allocating
+@c memory for the fcts structure, initializing it, and then storing it
+@c in the locale object.  The initialization involves dlopening and a
+@c lot more.
 The @code{btowc} function (``byte to wide character'') converts a valid
 single byte character @var{c} in the initial shift state into the wide
 character equivalent using the conversion rules from the currently
@@ -615,6 +625,7 @@ There is also a function for the conversion in the other direction.
 @comment wchar.h
 @comment ISO
 @deftypefun int wctob (wint_t @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctob} function (``wide character to byte'') takes as the
 parameter a valid wide character.  If the multibyte representation for
 this character in the initial state is exactly one byte long, the return
@@ -634,6 +645,7 @@ and they also do not require it to be in the initial state.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrtowc (wchar_t *restrict @var{pwc}, const char *restrict @var{s}, size_t @var{n}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
@@ -728,6 +740,7 @@ function that does part of the work.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbrlen} function (``multibyte restartable length'') computes
 the number of at most @var{n} bytes starting at @var{s}, which form the
 next valid and complete multibyte character.
@@ -811,6 +824,50 @@ doing the work twice.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcrtomb (char *restrict @var{s}, wchar_t @var{wc}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c wcrtomb uses a static, non-thread-local unguarded state variable when
+@c PS is NULL.  When a state is passed in, and it's not used
+@c concurrently in other threads, this function behaves safely as long
+@c as gconv modules don't bring MT safety issues of their own.
+@c Attempting to load gconv modules or to build conversion chains in
+@c signal handlers may encounter gconv databases or caches in a
+@c partially-updated state, and asynchronous cancellation may leave them
+@c in such states, besides leaking the lock that guards them.
+@c get_gconv_fcts ok
+@c    wcsmbs_load_conv ok
+@c      norm_add_slashes ok
+@c      wcsmbs_getfct ok
+@c        gconv_find_transform ok
+@c          gconv_read_conf (libc_once)
+@c          gconv_lookup_cache ok
+@c            find_module_idx ok
+@c            find_module ok
+@c              gconv_find_shlib (ok)
+@c              ->init_fct (assumed ok)
+@c            gconv_get_builtin_trans ok
+@c            gconv_release_step ok
+@c          do_lookup_alias ok
+@c          find_derivation ok
+@c            derivation_lookup ok
+@c            increment_counter ok
+@c              gconv_find_shlib ok
+@c              step->init_fct (assumed ok)
+@c            gen_steps ok
+@c              gconv_find_shlib ok
+@c                dlopen (presumed ok)
+@c                dlsym (presumed ok)
+@c              step->init_fct (assumed ok)
+@c              step->end_fct (assumed ok)
+@c              gconv_get_builtin_trans ok
+@c              gconv_release_step ok
+@c            add_derivation ok
+@c      gconv_close_transform ok
+@c        gconv_release_step ok
+@c          step->end_fct (assumed ok)
+@c          gconv_release_shlib ok
+@c            dlclose (presumed ok)
+@c        gconv_release_cache ok
+@c  ->tomb->__fct (assumed ok)
 The @code{wcrtomb} function (``wide character restartable to
 multibyte'') converts a single wide character into a multibyte string
 corresponding to that wide character.
@@ -955,6 +1012,7 @@ extensions that can help in some important situations.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t mbsrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsrtowcs} function (``multibyte string restartable to wide
 character string'') converts an NUL-terminated multibyte character
 string at @code{*@var{src}} into an equivalent wide character string,
@@ -1039,6 +1097,7 @@ length and passing this length to the function.
 @comment wchar.h
 @comment ISO
 @deftypefun size_t wcsrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsrtombs} function (``wide character string restartable to
 multibyte string'') converts the NUL-terminated wide character string at
 @code{*@var{src}} into an equivalent multibyte character string and
@@ -1084,6 +1143,7 @@ array size (the @var{len} parameter).
 @comment wchar.h
 @comment GNU
 @deftypefun size_t mbsnrtowcs (wchar_t *restrict @var{dst}, const char **restrict @var{src}, size_t @var{nmc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbsnrtowcs} function is very similar to the @code{mbsrtowcs}
 function.  All the parameters are the same except for @var{nmc}, which is
 new.  The return value is the same as for @code{mbsrtowcs}.
@@ -1136,6 +1196,7 @@ of the given buffer, there is no problem with altering the state.
 @comment wchar.h
 @comment GNU
 @deftypefun size_t wcsnrtombs (char *restrict @var{dst}, const wchar_t **restrict @var{src}, size_t @var{nwc}, size_t @var{len}, mbstate_t *restrict @var{ps})
+@safety{@mtunsafe{staticbuf (if ps is null)}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcsnrtombs} function implements the conversion from wide
 character strings to multibyte character strings.  It is similar to
 @code{wcsrtombs} but, just like @code{mbsnrtowcs}, it takes an extra
@@ -1280,6 +1341,7 @@ conversion functions.}
 @comment stdlib.h
 @comment ISO
 @deftypefun int mbtowc (wchar_t *restrict @var{result}, const char *restrict @var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mbtowc} (``multibyte to wide character'') function when called
 with non-null @var{string} converts the first multibyte character
 beginning at @var{string} to its corresponding wide character code.  It
@@ -1314,6 +1376,7 @@ shift state.  @xref{Shift State}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int wctomb (char *@var{string}, wchar_t @var{wchar})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wctomb} (``wide character to multibyte'') function converts
 the wide character code @var{wchar} to its corresponding multibyte
 character sequence, and stores the result in bytes starting at
@@ -1353,6 +1416,7 @@ terms of @code{mbtowc}.
 @comment stdlib.h
 @comment ISO
 @deftypefun int mblen (const char *@var{string}, size_t @var{size})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{mblen} function with a non-null @var{string} argument returns
 the number of bytes that make up the multibyte character beginning at
 @var{string}, never examining more than @var{size} bytes.  (The idea is
@@ -1391,6 +1455,9 @@ suffer from the same problems as their reentrant counterparts from
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t mbstowcs (wchar_t *@var{wstring}, const char *@var{string}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Odd...  Although this is in the non-reentrant section, the state
+@c object is automatic, not a static buffer.
 The @code{mbstowcs} (``multibyte string to wide character string'')
 function converts the null-terminated string of multibyte characters
 @var{string} to an array of wide character codes, storing not more than
@@ -1431,6 +1498,7 @@ mbstowcs_alloc (const char *string)
 @comment stdlib.h
 @comment ISO
 @deftypefun size_t wcstombs (char *@var{string}, const wchar_t *@var{wstring}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
 The @code{wcstombs} (``wide character string to multibyte string'')
 function converts the null-terminated wide character array @var{wstring}
 into a string containing multibyte characters, storing not more than
@@ -1618,6 +1686,16 @@ The first step is the function to create a handle.
 @comment iconv.h
 @comment XPG2
 @deftypefun iconv_t iconv_open (const char *@var{tocode}, const char *@var{fromcode})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, fdleak, shlimb}}
+@c Calls malloc if tocode and/or fromcode are too big for alloca.  Calls
+@c strip and upstr on both, then gconv_open.  strip and upstr call
+@c isalnum_l and toupper_l with the C locale.  gconv_open may MT-safely
+@c tokenize toset, replace unspecified codesets with the current locale
+@c (posibly two different accesses), and finally it calls
+@c gconv_find_transform and initializes the gconv_t result with all the
+@c steps in the conversion sequence, running each one's initializer,
+@c destructing and releasing them all if anything fails.
+
 The @code{iconv_open} function has to be used before starting a
 conversion.  The two parameters this function takes determine the
 source and destination character set for the conversion, and if the
@@ -1682,6 +1760,12 @@ conversion is not needed anymore.
 @comment iconv.h
 @comment XPG2
 @deftypefun int iconv_close (iconv_t @var{cd})
+@safety{@mtsafe{}@asunsafe{asynconsist, asmalloc, selfdeadlock, shlimb}@acunsafe{incansist, lockleak, memleak, shlimb}}
+@c Calls gconv_close to destruct and release each of the conversion
+@c steps, release the gconv_t object, then call gconv_close_transform.
+@c Access to the gconv_t object is not guarded, but calling iconv_close
+@c concurrently with any other use is undefined.
+
 The @code{iconv_close} function frees all resources associated with the
 handle @var{cd}, which must have been returned by a successful call to
 the @code{iconv_open} function.
@@ -1708,6 +1792,10 @@ even file to file can be implemented on top of it.
 @comment iconv.h
 @comment XPG2
 @deftypefun size_t iconv (iconv_t @var{cd}, char **@var{inbuf}, size_t *@var{inbytesleft}, char **@var{outbuf}, size_t *@var{outbytesleft})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c Without guarding access to the gconv_t object pointed to by cd, call
+@c the conversion function to convert inbuf or flush the internal
+@c conversion state.
 @cindex stateful
 The @code{iconv} function converts the text in the input buffer
 according to the rules associated with the descriptor @var{cd} and
diff --git a/manual/conf.texi b/manual/conf.texi
index 7eb8b36..edbb2fd 100644
--- a/manual/conf.texi
+++ b/manual/conf.texi
@@ -288,6 +288,17 @@ constants are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} sysconf (int @var{parameter})
+@safety{@mtsafe{envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak, fdleak}}
+@c Some parts of the implementation open /proc and /sys files and dirs
+@c to collect system details, using fd and stream I/O depending on the
+@c case.  _SC_TZNAME_MAX calls __tzname_max, that (while holding a lock)
+@c calls tzset_internal, that calls getenv if it's called the first
+@c time; there are free and strdup calls in there too.  The returned max
+@c value may change over time for TZNAME_MAX, depending on selected
+@c timezones; NPROCS, NPROCS_CONF, PHYS_PAGES, AVPHYS_PAGES,
+@c NGROUPS_MAX, SIGQUEUE_MAX, depending on variable values read from
+@c /proc at each call, and from rlimit-obtained values CHILD_MAX,
+@c OPEN_MAX, ARG_MAX, SIGQUEUE_MAX.
 This function is used to inquire about runtime system parameters.  The
 @var{parameter} argument should be one of the @samp{_SC_} symbols listed
 below.
@@ -1342,6 +1353,11 @@ argument are declared in the header file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} pathconf (const char *@var{filename}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c When __statfs_link_max finds an ext* filesystem, it may read
+@c /proc/mounts or similar as a mntent stream.
+@c __statfs_chown_restricted may read from
+@c /proc/sys/fs/xfs/restrict_chown as a file descriptor.
 This function is used to inquire about the limits that apply to
 the file named @var{filename}.
 
@@ -1369,6 +1385,8 @@ support the @var{parameter} for the specific file.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {long int} fpathconf (int @var{filedes}, int @var{parameter})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, fdleak, memleak}}
+@c Same caveats as pathconf.
 This is just like @code{pathconf} except that an open file descriptor
 is used to specify the file for which information is requested, instead
 of a file name.
@@ -1615,6 +1633,7 @@ system with the function @code{confstr}:
 @comment unistd.h
 @comment POSIX.2
 @deftypefun size_t confstr (int @var{parameter}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function reads the value of a string-valued system parameter,
 storing the string into @var{len} bytes of memory space starting at
 @var{buf}.  The @var{parameter} argument should be one of the
diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..5c9f6f7 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -92,7 +92,13 @@ in a convenient way.
 @comment unistd.h
 @comment BSD
 @deftypefun {char *} getpass (const char *@var{prompt})
-
+@safety{@mtunsafe{tempterm}@asunsafe{asmalloc, selfdeadlock, asynconsist}@acunsafe{tempterm, lockleak, incansist}}
+@c This function will attempt to create a stream for terminal I/O, but
+@c will fallback to stdio/stderr.  It attempts to change the terminal
+@c mode in a thread-unsafe way, write out the prompt, read the password,
+@c then restore the terminal mode.  It has a cleanup to close the stream
+@c in case of (synchronous) cancellation, but not to restore the
+@c terminal mode.
 @code{getpass} outputs @var{prompt}, then reads a string in from the
 terminal without echoing it.  It tries to connect to the real terminal,
 @file{/dev/tty}, if possible, to encourage users not to put plaintext
@@ -127,6 +133,13 @@ The substitute takes the same parameters as @code{getline}
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Besides the obvious problem of returning a pointer into static
+@c storage, the DES initializer takes an internal lock with the usual
+@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
+@c NSS implementations of may leak file descriptors if canceled.  The
+@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
+@c and NSS relies on dlopening, which brings about another can of worms.
 
 The @code{crypt} function takes a password, @var{key}, as a string, and
 a @var{salt} character array which is described below, and returns a
@@ -188,6 +201,9 @@ for a password and prints ``Access granted.'' if the user types
 @comment crypt.h
 @comment GNU
 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock, asmalloc, shlimb}@acunsafe{lockleak, memleak, shlimb}}
+@c Compared with crypt, this function fixes the staticbuf problem, but
+@c nothing else.
 
 The @code{crypt_r} function does the same thing as @code{crypt}, but
 takes an extra parameter which includes space for its result (among
@@ -233,6 +249,11 @@ specifies the unused bits.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void setkey (const char *@var{key})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c The static buffer stores the key, making it fundamentally
+@c thread-unsafe.  The locking issues are only in the initialization
+@c path; cancelling the initialization will leave the lock held, it
+@c would otherwise repeat the initialization on the next call.
 
 The @code{setkey} function sets an internal data structure to be an
 expanded form of @var{key}.  @var{key} is specified as an array of 64
@@ -244,6 +265,8 @@ parity.
 @comment crypt.h
 @comment BSD, SVID
 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
+@safety{@mtunsafe{staticbuf}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
+@c Same issues as setkey.
 
 The @code{encrypt} function encrypts @var{block} if
 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
@@ -257,9 +280,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
 @comment crypt.h
 @comment GNU
 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 @comment crypt.h
 @comment GNU
 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
+@safety{@mtsafe{}@asunsafe{asynconsist, selfdeadlock}@acunsafe{lockleak}}
 
 These are reentrant versions of @code{setkey} and @code{encrypt}.  The
 only difference is the extra parameter, which stores the expanded
@@ -274,6 +299,7 @@ defined in @file{crypt.h}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
 using DES.  Each block is encrypted independently.
@@ -355,6 +381,7 @@ This macro returns 1 if @var{err} is a `success' result code from
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
 using DES in Cipher Block Chaining mode.
@@ -381,6 +408,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
 @comment rpc/des_crypt.h
 @comment SUNRPC
 @deftypefun void des_setparity (char *@var{key})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The function @code{des_setparity} changes the 64-bit @var{key}, stored
 packed in 8-bit bytes, to have odd parity by altering the low bits of
diff --git a/manual/ctype.texi b/manual/ctype.texi
index f05d509..ddf38ce 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -66,6 +66,13 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int islower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The is* macros call __ctype_b_loc to get the ctype array from the
+@c current locale, and then index it by c.  __ctype_b_loc reads from
+@c thread-local memory the (indirect) pointer to the ctype array, which
+@c may involve one word access to the global locale object, if that's
+@c the active locale for the thread, and the array, being part of the
+@c locale data, is undeletable, so there's no thread-safety issue.
 Returns true if @var{c} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -74,6 +81,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 @end deftypefun
@@ -82,6 +90,7 @@ from the Latin alphabet, any alphabet representable is valid.
 @comment ctype.h
 @comment ISO
 @deftypefun int isalpha (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphabetic character (a letter).  If
 @code{islower} or @code{isupper} is true of a character, then
 @code{isalpha} is also true.
@@ -97,6 +106,7 @@ additional characters.
 @comment ctype.h
 @comment ISO
 @deftypefun int isdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @end deftypefun
 
@@ -104,6 +114,7 @@ Returns true if @var{c} is a decimal digit (@samp{0} through @samp{9}).
 @comment ctype.h
 @comment ISO
 @deftypefun int isalnum (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is an alphanumeric character (a letter or
 number); in other words, if either @code{isalpha} or @code{isdigit} is
 true of a character, then @code{isalnum} is also true.
@@ -113,6 +124,7 @@ true of a character, then @code{isalnum} is also true.
 @comment ctype.h
 @comment ISO
 @deftypefun int isxdigit (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -123,6 +135,7 @@ Hexadecimal digits include the normal decimal digits @samp{0} through
 @comment ctype.h
 @comment ISO
 @deftypefun int ispunct (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -132,6 +145,7 @@ character.
 @comment ctype.h
 @comment ISO
 @deftypefun int isspace (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{isspace} returns true for only the standard
 whitespace characters:
@@ -161,6 +175,7 @@ vertical tab
 @comment ctype.h
 @comment ISO
 @deftypefun int isblank (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 @end deftypefun
@@ -169,6 +184,7 @@ This function was originally a GNU extension, but was added in @w{ISO C99}.
 @comment ctype.h
 @comment ISO
 @deftypefun int isgraph (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -178,6 +194,7 @@ considered graphic.
 @comment ctype.h
 @comment ISO
 @deftypefun int isprint (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 @end deftypefun
@@ -186,6 +203,7 @@ include all the graphic characters, plus the space (@samp{ }) character.
 @comment ctype.h
 @comment ISO
 @deftypefun int iscntrl (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a control character (that is, a character that
 is not a printing character).
 @end deftypefun
@@ -194,6 +212,7 @@ is not a printing character).
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int isascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Returns true if @var{c} is a 7-bit @code{unsigned char} value that fits
 into the US/UK ASCII character set.  This function is a BSD extension
 and is also an SVID extension.
@@ -227,6 +246,10 @@ These functions are declared in the header file @file{ctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The to* macros/functions call different functions that use different
+@c arrays than those of__ctype_b_loc, but the access patterns and
+@c thus safety guarantees are the same.
 If @var{c} is an upper-case letter, @code{tolower} returns the corresponding
 lower-case letter.  If @var{c} is not an upper-case letter,
 @var{c} is returned unchanged.
@@ -235,6 +258,7 @@ lower-case letter.  If @var{c} is not an upper-case letter,
 @comment ctype.h
 @comment ISO
 @deftypefun int toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If @var{c} is a lower-case letter, @code{toupper} returns the corresponding
 upper-case letter.  Otherwise @var{c} is returned unchanged.
 @end deftypefun
@@ -242,6 +266,7 @@ upper-case letter.  Otherwise @var{c} is returned unchanged.
 @comment ctype.h
 @comment SVID, BSD
 @deftypefun int toascii (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function converts @var{c} to a 7-bit @code{unsigned char} value
 that fits into the US/UK ASCII character set, by clearing the high-order
 bits.  This function is a BSD extension and is also an SVID extension.
@@ -250,6 +275,7 @@ bits.  This function is a BSD extension and is also an SVID extension.
 @comment ctype.h
 @comment SVID
 @deftypefun int _tolower (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{tolower}, and is provided for compatibility
 with the SVID.  @xref{SVID}.@refill
 @end deftypefun
@@ -257,6 +283,7 @@ with the SVID.  @xref{SVID}.@refill
 @comment ctype.h
 @comment SVID
 @deftypefun int _toupper (int @var{c})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is identical to @code{toupper}, and is provided for compatibility
 with the SVID.
 @end deftypefun
@@ -303,6 +330,15 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctype_t wctype (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Although the source code of wctype contains multiple references to
+@c the locale, that could each reference different locale_data objects
+@c should the global locale object change while active, the compiler can
+@c and does combine them all into a single dereference that resolves
+@c once to the LCTYPE locale object used throughout the function, so it
+@c is safe in practice, if not in theory.  Ideally we'd explicitly save
+@c the resolved locale_data object to make it visibly safe instead of
+@c safe only under compiler optimizations.
 The @code{wctype} returns a value representing a class of wide
 characters which is identified by the string @var{property}.  Beside
 some standard properties each locale can define its own ones.  In case
@@ -331,6 +367,8 @@ the @w{ISO C} standard defines a completely new function.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswctype (wint_t @var{wc}, wctype_t @var{desc})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The compressed lookup table returned by wctype is read-only.
 This function returns a nonzero value if @var{wc} is in the character
 class specified by @var{desc}.  @var{desc} must previously be returned
 by a successful call to @code{wctype}.
@@ -350,6 +388,15 @@ standard classes.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalnum (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c The implicit wctype call in the isw* functions is actually an
+@c optimized version because the category has a known offset, but the
+@c wctype is equally safe when optimized, unsafe if not optimized.
+@c Since it's not a macro, and we always optimize, it's fine.  The test
+@c whether wc is ASCII to use the non-wide is* macro/funciton doesn't
+@c bring any other safety issues: the test does not depend on the
+@c locale, and each path after the decision resolves the locale object
+@c only once.
 This function returns a nonzero value if @var{wc} is an alphanumeric
 character (a letter or number); in other words, if either @code{iswalpha}
 or @code{iswdigit} is true of a character, then @code{iswalnum} is also
@@ -370,6 +417,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswalpha (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an alphabetic character (a letter).  If
 @code{iswlower} or @code{iswupper} is true of a character, then
 @code{iswalpha} is also true.
@@ -394,6 +442,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswcntrl (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a control character (that is, a character that
 is not a printing character).
 
@@ -412,6 +461,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a digit (e.g., @samp{0} through @samp{9}).
 Please note that this function does not only return a nonzero value for
 @emph{decimal} digits, but for all kinds of digits.  A consequence is
@@ -442,6 +492,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswgraph (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a graphic character; that is, a character
 that has a glyph associated with it.  The whitespace characters are not
 considered graphic.
@@ -461,6 +512,7 @@ It is declared in @file{wctype.h}.
 @comment ctype.h
 @comment ISO
 @deftypefun int iswlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a lower-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -479,6 +531,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswprint (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a printing character.  Printing characters
 include all the graphic characters, plus the space (@samp{ }) character.
 
@@ -497,6 +550,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswpunct (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a punctuation character.
 This means any printing character that is not alphanumeric or a space
 character.
@@ -516,6 +570,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswspace (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a @dfn{whitespace} character.  In the standard
 @code{"C"} locale, @code{iswspace} returns true for only the standard
 whitespace characters:
@@ -555,6 +610,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is an upper-case letter.  The letter need not be
 from the Latin alphabet, any alphabet representable is valid.
 
@@ -573,6 +629,7 @@ It is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswxdigit (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a hexadecimal digit.
 Hexadecimal digits include the normal decimal digits @samp{0} through
 @samp{9} and the letters @samp{A} through @samp{F} and
@@ -597,6 +654,7 @@ characters as well.
 @comment wctype.h
 @comment ISO
 @deftypefun int iswblank (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 Returns true if @var{wc} is a blank character; that is, a space or a tab.
 This function was originally a GNU extension, but was added in @w{ISO C99}.
 It is declared in @file{wchar.h}.
@@ -691,7 +749,8 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Similar implementation, same caveats as wctype.
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -714,7 +773,8 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
-@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Same caveats as iswctype.
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be
@@ -732,6 +792,9 @@ for them.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towlower (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
+@c Same caveats as iswalnum, just using a wctrans rather than a wctype
+@c table.
 If @var{wc} is an upper-case letter, @code{towlower} returns the corresponding
 lower-case letter.  If @var{wc} is not an upper-case letter,
 @var{wc} is returned unchanged.
@@ -751,6 +814,7 @@ This function is declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towupper (wint_t @var{wc})
+@safety{@mtsafe{glocale}@assafe{}@acsafe{}}
 If @var{wc} is a lower-case letter, @code{towupper} returns the corresponding
 upper-case letter.  Otherwise @var{wc} is returned unchanged.
 
diff --git a/manual/debug.texi b/manual/debug.texi
index 1db9c18..ce0c263 100644
--- a/manual/debug.texi
+++ b/manual/debug.texi
@@ -36,6 +36,8 @@ and manipulate backtraces of the current thread.
 @comment execinfo.h
 @comment GNU
 @deftypefun int backtrace (void **@var{buffer}, int @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Pointer chasing within the local stack.
 The @code{backtrace} function obtains a backtrace for the current
 thread, as a list of pointers, and places the information into
 @var{buffer}.  The argument @var{size} should be the number of
@@ -56,6 +58,17 @@ interpreting the stack contents correctly.
 @comment execinfo.h
 @comment GNU
 @deftypefun {char **} backtrace_symbols (void *const *@var{buffer}, int @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, lockleak}}
+@c Collects info returned by _dl_addr in auto array, allocates memory
+@c for the whole return buffer with malloc then sprintfs into it storing
+@c pointers to the strings into the array entries in the buffer.
+@c _dl_addr takes the recursive dl_load_lock then calls
+@c _dl_find_dso_for_object and determine_info.
+@c _dl_find_dso_for_object calls _dl-addr_inside_object.
+@c All of them are safe as long as the lock is held.
+@c asynconsist?  It doesn't looke like the dynamic loader's data
+@c structures could be in an inconsistent state that would cause
+@c malfunction here.
 The @code{backtrace_symbols} function translates the information
 obtained from the @code{backtrace} function into an array of strings.
 The argument @var{buffer} should be a pointer to an array of addresses
@@ -88,6 +101,11 @@ cannot be obtained.
 @comment execinfo.h
 @comment GNU
 @deftypefun void backtrace_symbols_fd (void *const *@var{buffer}, int @var{size}, int @var{fd})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c Single loop of _dl_addr over addresses, collecting info into an iovec
+@c written out with a writev call per iteration.  Addresses and offsets
+@c are converted to hex in auto buffers, so the only potential issue
+@c here is leaking the dl lock in case of cancellation.
 The @code{backtrace_symbols_fd} function performs the same translation
 as the function @code{backtrace_symbols} function.  Instead of returning
 the strings to the caller, it writes the strings to the file descriptor
diff --git a/manual/errno.texi b/manual/errno.texi
index 6c9fa86..eb3f412 100644
--- a/manual/errno.texi
+++ b/manual/errno.texi
@@ -1293,6 +1293,9 @@ name of the program that encountered the error.
 @comment string.h
 @comment ISO
 @deftypefun {char *} strerror (int @var{errnum})
+@safety{@mtunsafe{staticbuf}@asunsafe{staticbuf, asmalloc, asi18n}@acsafe{memleak}}
+@c Calls strerror_r with a static buffer allocated with malloc on the
+@c first use.
 The @code{strerror} function maps the error code (@pxref{Checking for
 Errors}) specified by the @var{errnum} argument to a descriptive error
 message string.  The return value is a pointer to this string.
@@ -1310,6 +1313,7 @@ The function @code{strerror} is declared in @file{string.h}.
 @comment string.h
 @comment GNU
 @deftypefun {char *} strerror_r (int @var{errnum}, char *@var{buf}, size_t @var{n})
+@safety{@mtsafe{}@asunsafe{asi18n}@acsafe{}}
 The @code{strerror_r} function works like @code{strerror} but instead of
 returning the error message in a statically allocated buffer shared by
 all threads in the process, it returns a private copy for the
@@ -1331,6 +1335,10 @@ This function @code{strerror_r} is a GNU extension and it is declared in
 @comment stdio.h
 @comment ISO
 @deftypefun void perror (const char *@var{message})
+@safety{@mtsafe{xguargs}@asunsafe{asynconsist, asi18n, asmalloc, selfdeadlock}@acunsafe{incansist, lockleak, memleak, fdleak}}
+@c Besides strerror_r's and some of fprintf's issues, if stderr is not
+@c oriented yet, create a new stream with a dup of stderr's fd and write
+@c to that instead of stderr, to avoid orienting it.
 This function prints an error message to the stream @code{stderr};
 see @ref{Standard Streams}.  The orientation of @code{stderr} is not
 changed.
@@ -1442,6 +1450,13 @@ These functions are declared in @file{error.h}.
 @comment error.h
 @comment GNU
 @deftypefun void error (int @var{status}, int @var{errnum}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acsafe{}}
+@c Cancellation is disabled throught the execution.  It flushes stdout
+@c and then holds a lock on stderr while printing the program name and
+@c then running error_tail.  The non-wide case just runs vfprintf; the
+@c wide case converts the message to an alloca/malloc-allocated buffer
+@c with mbsrtowcs, then prints it with vfwprintf.  Afterwards,
+@c print_errno_message calls strerror_r and fxprintf.
 The @code{error} function can be used to report general problems during
 program execution.  The @var{format} argument is a format string just
 like those given to the @code{printf} family of functions.  The
@@ -1477,6 +1492,15 @@ incremented by one to keep track of the number of errors reported.
 @comment error.h
 @comment GNU
 @deftypefun void error_at_line (int @var{status}, int @var{errnum}, const char *@var{fname}, unsigned int @var{lineno}, const char *@var{format}, @dots{})
+@safety{@mtunsafe{staticbuf, glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist}}
+@c The error_one_per_line variable is accessed (without any form of
+@c synchronization, but since it's an int used once, it should be safe
+@c enough) and, if this mode is enabled, static variables used to hold
+@c the last printed file name and line number are accessed and modified
+@c without synchronization; the update is not atomic and it occurs
+@c before disabling cancellation, so it can be interrupted after only
+@c one of the two variables is modified.  After that, it's very much
+@c like error.
 
 The @code{error_at_line} function is very similar to the @code{error}
 function.  The only difference are the additional parameters @var{fname}
@@ -1582,6 +1606,8 @@ are included only for compatibility.
 @comment err.h
 @comment BSD
 @deftypefun void warn (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Just calls vwarn with the va_list.
 The @code{warn} function is roughly equivalent to a call like
 @smallexample
   error (0, errno, format, @r{the parameters})
@@ -1594,6 +1620,11 @@ are not used.
 @comment err.h
 @comment BSD
 @deftypefun void vwarn (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c While holding stderr's recursive lock, it prints the programname, the
+@c given message, and the error string with fw?printf's %m.  When the
+@c stream is wide, convert_and_print converts the format string to an
+@c alloca/malloc-created buffer using mbsrtowcs and then calls fwprintf.
 The @code{vwarn} function is just like @code{warn} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1602,6 +1633,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void warnx (const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn, but without the strerror translation issues.
 The @code{warnx} function is roughly equivalent to a call like
 @smallexample
   error (0, 0, format, @r{the parameters})
@@ -1615,6 +1648,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void vwarnx (const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn, but without the strerror translation issues.
 The @code{vwarnx} function is just like @code{warnx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1623,6 +1658,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void err (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warn followed by exit.
 The @code{err} function is roughly equivalent to a call like
 @smallexample
   error (status, errno, format, @r{the parameters})
@@ -1635,6 +1672,8 @@ are not used and that the program is exited even if @var{status} is zero.
 @comment err.h
 @comment BSD
 @deftypefun void verr (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc, asi18n}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarn followed by exit.
 The @code{verr} function is just like @code{err} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
@@ -1643,6 +1682,8 @@ in as an value of type @code{va_list}.
 @comment err.h
 @comment BSD
 @deftypefun void errx (int @var{status}, const char *@var{format}, @dots{})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as warnx followed by exit.
 The @code{errx} function is roughly equivalent to a call like
 @smallexample
   error (status, 0, format, @r{the parameters})
@@ -1657,6 +1698,8 @@ string is printed.
 @comment err.h
 @comment BSD
 @deftypefun void verrx (int @var{status}, const char *@var{format}, va_list @var{ap})
+@safety{@mtsafe{glocale}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, lockleak, memleak}}
+@c Same as vwarnx followed by exit.
 The @code{verrx} function is just like @code{errx} except that the
 parameters for the handling of the format string @var{format} are passed
 in as an value of type @code{va_list}.
diff --git a/manual/filesys.texi b/manual/filesys.texi
index 1df9cf2..2244025 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -58,6 +58,25 @@ Prototypes for these functions are declared in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun {char *} getcwd (char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c If buffer is NULL, this function calls malloc and realloc, and, in
+@c case of error, free.  Linux offers a getcwd syscall that we use on
+@c GNU/Linux systems, but it may fail if the pathname is too long.  As a
+@c fallback, and on other systems, the generic implementation opens each
+@c parent directory with opendir, which allocates memory for the
+@c directory stream with malloc.  If a fstatat64 syscall is not
+@c available, very deep directory trees may also have to malloc to build
+@c longer sequences of ../../../... than those supported by a global
+@c const read-only string.
+
+@c linux/__getcwd
+@c  posix/__getcwd
+@c   malloc/realloc/free if buffer is NULL, or if dir is too deep
+@c   lstat64 -> see its own entry
+@c   fstatat64
+@c     direct syscall if possible, alloca+snprintf+*stat64 otherwise
+@c   openat64_not_cancel_3, close_not_cancel_no_status
+@c   __fdopendir, __opendir, __readdir, rewinddir
 The @code{getcwd} function returns an absolute file name representing
 the current working directory, storing it in the character array
 @var{buffer} that you provide.  The @var{size} argument is how you tell
@@ -116,6 +135,9 @@ software.
 @comment unistd.h
 @comment BSD
 @deftypefn {Deprecated Function} {char *} getwd (char *@var{buffer})
+@safety{@mtsafe{}@asunsafe{asmalloc, asi18n}@acsafe{memleak, fdleak}}
+@c Besides the getcwd safety issues, it calls strerror_r on error, which
+@c brings in all of the i18n issues.
 This is similar to @code{getcwd}, but has no way to specify the size of
 the buffer.  @Theglibc{} provides @code{getwd} only
 for backwards compatibility with BSD.
@@ -130,6 +152,9 @@ this function is deprecated.
 @comment unistd.h
 @comment GNU
 @deftypefun {char *} get_current_dir_name (void)
+@safety{@mtunsafe{envromt}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides getcwd, which this function calls as a fallback, it calls
+@c getenv, with the usual thread-safety issues that brings about.
 @vindex PWD
 This @code{get_current_dir_name} function is basically equivalent to
 @w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
@@ -145,6 +170,7 @@ This function is a GNU extension.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 @var{filename}.
 
@@ -158,6 +184,7 @@ file @var{filename} is not a directory.
 @comment unistd.h
 @comment XPG
 @deftypefun int fchdir (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is used to set the process's working directory to
 directory associated with the file descriptor @var{filedes}.
 
@@ -294,12 +321,14 @@ values and @code{st_mode} values:
 @comment dirent.h
 @comment BSD
 @deftypefun int IFTODT (mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{d_type} value corresponding to @var{mode}.
 @end deftypefun
 
 @comment dirent.h
 @comment BSD
 @deftypefun mode_t DTTOIF (int @var{dtype})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This returns the @code{st_mode} value corresponding to @var{dtype}.
 @end deftypefun
 @end table
@@ -342,6 +371,9 @@ the following functions.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {DIR *} opendir (const char *@var{dirname})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Besides the safe syscall, we have to allocate the DIR object with
+@c __alloc_dir, that calls malloc.
 The @code{opendir} function opens and returns a directory stream for
 reading the directory whose file name is @var{dirname}.  The stream has
 type @code{DIR *}.
@@ -381,6 +413,8 @@ alternative interface can be used.
 @comment dirent.h
 @comment GNU
 @deftypefun {DIR *} fdopendir (int @var{fd})
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c The DIR object is allocated with __alloc_dir, that calls malloc.
 The @code{fdopendir} function works just like @code{opendir} but
 instead of taking a file name and opening a file descriptor for the
 directory the caller is required to provide a file descriptor.  This
@@ -425,6 +459,7 @@ access.
 @comment dirent.h
 @comment GNU
 @deftypefun int dirfd (DIR *@var{dirstream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The function @code{dirfd} returns the file descriptor associated with
 the directory stream @var{dirstream}.  This descriptor can be used until
 the directory is closed with @code{closedir}.  If the directory stream
@@ -443,6 +478,12 @@ symbols are declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c This function holds dirstream's non-recursive lock, which brings
+@c about the usual issues with locks and async signals and cancellation,
+@c but the lock taking is not enough to make the returned value safe to
+@c use, since it points to a stream's internal buffer that can be
+@c overwritten by subsequent calls or even released by closedir.
 This function reads the next entry from the directory.  It normally
 returns a pointer to a structure containing information about the file.
 This structure is statically allocated and can be rewritten by a
@@ -469,6 +510,7 @@ value.  Use @code{readdir_r} when this is critical.
 @comment dirent.h
 @comment GNU
 @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is the reentrant version of @code{readdir}.  Like
 @code{readdir} it returns the next entry from the directory.  But to
 prevent conflicts between simultaneously running threads the result is
@@ -516,6 +558,7 @@ of the last two functions.
 @comment dirent.h
 @comment LFS
 @deftypefun {struct dirent64 *} readdir64 (DIR *@var{dirstream})
+@safety{@mtunsafe{staticbuf}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64} function is just like the @code{readdir} function
 except that it returns a pointer to a record of type @code{struct
 dirent64}.  Some of the members of this data type (notably @code{d_ino})
@@ -527,6 +570,7 @@ In all other aspects this function is equivalent to @code{readdir}.
 @comment dirent.h
 @comment LFS
 @deftypefun int readdir64_r (DIR *@var{dirstream}, struct dirent64 *@var{entry}, struct dirent64 **@var{result})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{readdir64_r} function is equivalent to the @code{readdir_r}
 function except that it takes parameters of base type @code{struct
 dirent64} instead of @code{struct dirent} in the second and third
@@ -537,6 +581,10 @@ position.  The same precautions mentioned in the documentation of
 @comment dirent.h
 @comment POSIX.1
 @deftypefun int closedir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock (hurd)}@acsafe{memleak, fdleak, lockleak (hurd)}}
+@c No synchronization in the posix implementation, only in the hurd
+@c one.  This is regarded as safe because it is undefined behavior if
+@c other threads could still be using the dir stream while it's closed.
 This function closes the directory stream @var{dirstream}.  It returns
 @code{0} on success and @code{-1} on failure.
 
@@ -576,6 +624,7 @@ declared in the header file @file{dirent.h}.
 @comment dirent.h
 @comment POSIX.1
 @deftypefun void rewinddir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 The @code{rewinddir} function is used to reinitialize the directory
 stream @var{dirstream}, so that if you call @code{readdir} it
 returns information about the first entry in the directory again.  This
@@ -589,6 +638,10 @@ added or removed since you last called @code{opendir} or
 @comment dirent.h
 @comment BSD
 @deftypefun {long int} telldir (DIR *@var{dirstream})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{telldir} function returns the file position of the directory
 stream @var{dirstream}.  You can use this value with @code{seekdir} to
 restore the directory stream to that position.
@@ -597,6 +650,10 @@ restore the directory stream to that position.
 @comment dirent.h
 @comment BSD
 @deftypefun void seekdir (DIR *@var{dirstream}, long int @var{pos})
+@safety{@mtsafe{}@asunsafe{asmalloc (bsd), selfdeadlock (bsd)}@acunsafe{memleak (bsd), lockleak (bsd)}}
+@c The implementation is safe on most platforms, but on BSD it uses
+@c cookies, buckets and records, and the global array of pointers to
+@c dynamically allocated records is guarded by a non-recursive lock.
 The @code{seekdir} function sets the file position of the directory
 stream @var{dirstream} to @var{pos}.  The value @var{pos} must be the
 result of a previous call to @code{telldir} on this particular stream;
@@ -616,6 +673,19 @@ the result.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int scandir (const char *@var{dir}, struct dirent ***@var{namelist}, int (*@var{selector}) (const struct dirent *), int (*@var{cmp}) (const struct dirent **, const struct dirent **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c The scandir function calls __opendirat, __readdir, and __closedir to
+@c go over the named dir; malloc and realloc to allocate the namelist
+@c and copies of each selected dirent, besides the selector, if given,
+@c and qsort and the cmp functions if the latter is given.  In spite of
+@c the cleanup handler that releases memory and the file descriptor in
+@c case of synchronous cancellation, an asynchronous cancellation may
+@c still leak memory and a file descriptor.  Although readdir is unsafe
+@c in general, the use of an internal dir stream for sequential scanning
+@c of the directory with copying of dirents before subsequent calls
+@c makes the use safe, and the fact that the dir stream is private to
+@c each scandir call does away with the lock issues in readdir and
+@c closedir.
 
 The @code{scandir} function scans the contents of the directory selected
 by @var{dir}.  The result in *@var{namelist} is an array of pointers to
@@ -646,6 +716,8 @@ are very helpful for this purpose.
 @comment dirent.h
 @comment BSD/SVID
 @deftypefun int alphasort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Calls strcoll.
 The @code{alphasort} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -658,6 +730,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls strverscmp.
 The @code{versionsort} function is like @code{alphasort} except that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -670,6 +744,8 @@ dirent64}}.  To use this we need a new function.
 @comment dirent.h
 @comment GNU
 @deftypefun int scandir64 (const char *@var{dir}, struct dirent64 ***@var{namelist}, int (*@var{selector}) (const struct dirent64 *), int (*@var{cmp}) (const struct dirent64 **, const struct dirent64 **))
+@safety{@mtsafe{}@asunsafe{asmalloc}@acunsafe{memleak, fdleak}}
+@c See scandir.
 The @code{scandir64} function works like the @code{scandir} function
 except that the directory entries it returns are described by elements
 of type @w{@code{struct dirent64}}.  The function pointed to by
@@ -688,6 +764,8 @@ argument.  Instead we provide the two replacement functions below.
 @comment dirent.h
 @comment GNU
 @deftypefun int alphasort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c See alphasort.
 The @code{alphasort64} function behaves like the @code{strcoll} function
 (@pxref{String/Array Comparison}).  The difference is that the arguments
 are not string pointers but instead they are of type
@@ -700,6 +778,8 @@ than zero depending on the order of the two entries @var{a} and @var{b}.
 @comment dirent.h
 @comment GNU
 @deftypefun int versionsort64 (const void *@var{a}, const void *@var{b})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c See versionsort.
 The @code{versionsort64} function is like @code{alphasort64}, excepted that it
 uses the @code{strverscmp} function internally.
 @end deftypefun
@@ -880,6 +960,8 @@ file was passed).
 @comment ftw.h
 @comment SVID
 @deftypefun int ftw (const char *@var{filename}, __ftw_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
+@c see nftw for safety details
 The @code{ftw} function calls the callback function given in the
 parameter @var{func} for every item which is found in the directory
 specified by @var{filename} and all directories below.  The function
@@ -930,6 +1012,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int ftw64 (const char *@var{filename}, __ftw64_func_t @var{func}, int @var{descriptors})
+@safety{@mtsafe{xguargs}, @asunsafe{asmalloc}, @acsafe{memleak, fdleak}}
 This function is similar to @code{ftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -943,6 +1026,17 @@ transparently replaces the old implementation.
 @comment ftw.h
 @comment XPG4.2
 @deftypefun int nftw (const char *@var{filename}, __nftw_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c ftw_startup calls alloca, malloc, free, xstat/lxstat, tdestroy, and ftw_dir
+@c  if FTW_CHDIR, call open, and fchdir, or chdir and getcwd
+@c ftw_dir calls open_dir_stream, readdir64, process_entry, closedir
+@c  if FTW_CHDIR, also calls fchdir
+@c open_dir_stream calls malloc, realloc, readdir64, free, closedir,
+@c  then openat64_not_cancel_3 and fdopendir or opendir, then dirfd.
+@c process_entry may cal realloc, fxstatat/lxstat/xstat, ftw_dir, and
+@c  find_object (tsearch) and add_object (tfind).  
+@c Since each invocation of *ftw uses its own private search tree, none
+@c  of the search tree concurrency issues apply.
 The @code{nftw} function works like the @code{ftw} functions.  They call
 the callback function @var{func} for all items found in the directory
 @var{filename} and below.  At most @var{descriptors} file descriptors
@@ -1003,6 +1097,7 @@ interface transparently replaces the old interface.
 @comment ftw.h
 @comment Unix98
 @deftypefun int nftw64 (const char *@var{filename}, __nftw64_func_t @var{func}, int @var{descriptors}, int @var{flag})
+@safety{@mtsafe{xguargs, tempchwd}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
 This function is similar to @code{nftw} but it can work on filesystems
 with large files.  File information is reported using a variable of type
 @code{struct stat64} which is passed by reference to the callback
@@ -1046,6 +1141,7 @@ file @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int link (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{link} function makes a new link to the existing file named by
 @var{oldname}, under the new name @var{newname}.
 
@@ -1153,6 +1249,7 @@ Prototypes for most of the functions listed in this section are in
 @comment unistd.h
 @comment BSD
 @deftypefun int symlink (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{symlink} function makes a symbolic link to @var{oldname} named
 @var{newname}.
 
@@ -1190,6 +1287,7 @@ exceeded.
 @comment unistd.h
 @comment BSD
 @deftypefun ssize_t readlink (const char *@var{filename}, char *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{readlink} function gets the value of the symbolic link
 @var{filename}.  The file name that the link points to is copied into
 @var{buffer}.  This file name string is @emph{not} null-terminated;
@@ -1249,6 +1347,8 @@ names can refer to the same inode.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} canonicalize_file_name (const char *@var{name})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls realpath.
 
 The @code{canonicalize_file_name} function returns the absolute name of
 the file named by @var{name} which contains no @code{.}, @code{..}
@@ -1290,6 +1390,8 @@ where the result is placed in.
 @comment stdlib.h
 @comment XPG
 @deftypefun {char *} realpath (const char *restrict @var{name}, char *restrict @var{resolved})
+@safety{@mtsafe{xguargs}@asunsafe{asmalloc}@acsafe{memleak, fdleak}}
+@c Calls malloc, realloc, getcwd, lxstat64, readlink, alloca.
 
 A call to @code{realpath} where the @var{resolved} parameter is
 @code{NULL} behaves exactly like @code{canonicalize_file_name}.  The
@@ -1329,6 +1431,7 @@ then the file is deleted as well.  If the file has other remaining names
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int unlink (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{unlink} function deletes the file name @var{filename}.  If
 this is a file's sole name, the file itself is also deleted.  (Actually,
 if any process has the file open when this happens, deletion is
@@ -1371,6 +1474,7 @@ file system and can't be modified.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int rmdir (const char *@var{filename})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @cindex directories, deleting
 @cindex deleting a directory
 The @code{rmdir} function deletes a directory.  The directory must be
@@ -1398,6 +1502,8 @@ The prototype for this function is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int remove (const char *@var{filename})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Calls unlink and rmdir.
 This is the @w{ISO C} function to remove a file.  It works like
 @code{unlink} for files and like @code{rmdir} for directories.
 @code{remove} is declared in @file{stdio.h}.
@@ -1413,6 +1519,10 @@ The @code{rename} function is used to change a file's name.
 @comment stdio.h
 @comment ISO
 @deftypefun int rename (const char *@var{oldname}, const char *@var{newname})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a rename syscall, there's an emulation with link
+@c and unlink, but it's racy, even more so if newname exists and is
+@c unlinked first.
 The @code{rename} function renames the file @var{oldname} to
 @var{newname}.  The file formerly accessible under the name
 @var{oldname} is afterwards accessible as @var{newname} instead.  (If
@@ -1508,6 +1618,7 @@ a shell command @code{mkdir} which does the same thing.)
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int mkdir (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{mkdir} function creates a new, empty directory with name
 @var{filename}.
 
@@ -1849,6 +1960,7 @@ header file @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int stat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{stat} function returns information about the attributes of the
 file named by @w{@var{filename}} in the structure pointed to by @var{buf}.
 
@@ -1875,6 +1987,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int stat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{stat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1888,6 +2001,7 @@ replaces the interface for small files on 32-bit machines.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int fstat (int @var{filedes}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fstat} function is like @code{stat}, except that it takes an
 open file descriptor as an argument instead of a file name.
 @xref{Low-Level I/O}.
@@ -1909,6 +2023,7 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int fstat64 (int @var{filedes}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{fstat} but is able to work on large
 files on 32-bit platforms.  For large files the file descriptor
 @var{filedes} should be obtained by @code{open64} or @code{creat64}.
@@ -1920,9 +2035,16 @@ function is available under the name @code{fstat} and so transparently
 replaces the interface for small files on 32-bit machines.
 @end deftypefun
 
+@c fstatat will call alloca and snprintf if the syscall is not
+@c available.
+@c @safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+
 @comment sys/stat.h
 @comment BSD
 @deftypefun int lstat (const char *@var{filename}, struct stat *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat, sometimes with an xstat conv call
+@c afterwards.
 The @code{lstat} function is like @code{stat}, except that it does not
 follow symbolic links.  If @var{filename} is the name of a symbolic
 link, @code{lstat} returns information about the link itself; otherwise
@@ -1936,6 +2058,9 @@ replaces the normal implementation.
 @comment sys/stat.h
 @comment Unix98
 @deftypefun int lstat64 (const char *@var{filename}, struct stat64 *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct system call through lxstat64, sometimes with an xstat conv
+@c call afterwards.
 This function is similar to @code{lstat} but it is also able to work on
 files larger then @math{2^31} bytes on 32-bit systems.  To be able to do
 this the result is stored in a variable of type @code{struct stat64} to
@@ -1974,12 +2099,14 @@ that file:
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISDIR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a directory.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISCHR (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a character special file (a
 device like a terminal).
 @end deftypefn
@@ -1987,6 +2114,7 @@ device like a terminal).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISBLK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a block special file (a device
 like a disk).
 @end deftypefn
@@ -1994,12 +2122,14 @@ like a disk).
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISREG (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a regular file.
 @end deftypefn
 
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_ISFIFO (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a FIFO special file, or a
 pipe.  @xref{Pipes and FIFOs}.
 @end deftypefn
@@ -2007,6 +2137,7 @@ pipe.  @xref{Pipes and FIFOs}.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISLNK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a symbolic link.
 @xref{Symbolic Links}.
 @end deftypefn
@@ -2014,6 +2145,7 @@ This macro returns non-zero if the file is a symbolic link.
 @comment sys/stat.h
 @comment GNU
 @deftypefn Macro int S_ISSOCK (mode_t @var{m})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns non-zero if the file is a socket.  @xref{Sockets}.
 @end deftypefn
 
@@ -2096,6 +2228,7 @@ the whole @code{struct stat} structure.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISMQ (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX message queues as distinct objects and the
 file is a message queue object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2104,6 +2237,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSEM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX semaphores as distinct objects and the
 file is a semaphore object, this macro returns a non-zero value.
 In all other cases the result is zero.
@@ -2112,6 +2246,7 @@ In all other cases the result is zero.
 @comment sys/stat.h
 @comment POSIX
 @deftypefn Macro int S_TYPEISSHM (struct stat *@var{s})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 If the system implement POSIX shared memory objects as distinct objects
 and the file is an shared memory object, this macro returns a non-zero
 value.  In all other cases the result is zero.
@@ -2156,6 +2291,7 @@ The prototype for this function is declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int chown (const char *@var{filename}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chown} function changes the owner of the file @var{filename} to
 @var{owner}, and its group owner to @var{group}.
 
@@ -2190,6 +2326,7 @@ The file is on a read-only file system.
 @comment unistd.h
 @comment BSD
 @deftypefun int fchown (int @var{filedes}, uid_t @var{owner}, gid_t @var{group})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chown}, except that it changes the owner of the open
 file with descriptor @var{filedes}.
 
@@ -2469,6 +2606,7 @@ The functions in this section are declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun mode_t umask (mode_t @var{mask})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{umask} function sets the file creation mask of the current
 process to @var{mask}, and returns the previous value of the file
 creation mask.
@@ -2494,6 +2632,7 @@ you just want to read the mask value, because it is reentrant.
 @comment sys/stat.h
 @comment GNU
 @deftypefun mode_t getumask (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 Return the current value of the file creation mask for the current
 process.  This function is a GNU extension and is only available on
 @gnuhurdsystems{}.
@@ -2502,6 +2641,7 @@ process.  This function is a GNU extension and is only available on
 @comment sys/stat.h
 @comment POSIX.1
 @deftypefun int chmod (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{chmod} function sets the access permission bits for the file
 named by @var{filename} to @var{mode}.
 
@@ -2542,6 +2682,7 @@ for full details on the sticky bit.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int fchmod (int @var{filedes}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This is like @code{chmod}, except that it changes the permissions of the
 currently open file given by @var{filedes}.
 
@@ -2612,6 +2753,7 @@ The symbols in this section are declared in @file{unistd.h}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int access (const char *@var{filename}, int @var{how})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{access} function checks to see whether the file named by
 @var{filename} can be accessed in the way specified by the @var{how}
 argument.  The @var{how} argument either can be the bitwise OR of the
@@ -2732,6 +2874,9 @@ This is the modification time for the file.
 @comment utime.h
 @comment POSIX.1
 @deftypefun int utime (const char *@var{filename}, const struct utimbuf *@var{times})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utime syscall, it non-atomically converts times
+@c to a struct timeval and calls utimes.
 This function is used to modify the file times associated with the file
 named @var{filename}.
 
@@ -2783,6 +2928,10 @@ in the header file @file{sys/time.h}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int utimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c In the absence of a utimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, or to
+@c struct utimbuf and calls utime.
 This function sets the file access and modification times of the file
 @var{filename}.  The new file access time is specified by
 @code{@var{tvp}[0]}, and the new modification time by
@@ -2797,6 +2946,9 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int lutimes (const char *@var{filename}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no lutimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall.
 This function is like @code{utimes}, except that it does not follow
 symbolic links.  If @var{filename} is the name of a symbolic link,
 @code{lutimes} sets the file access and modification times of the
@@ -2813,6 +2965,10 @@ function.
 @comment sys/time.h
 @comment BSD
 @deftypefun int futimes (int @var{fd}, const struct timeval @var{tvp}@t{[2]})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Since there's no futimes syscall, it non-atomically converts tvp
+@c to struct timespec array and issues a utimensat syscall, falling back
+@c to utimes on a /proc/self/fd symlink.
 This function is like @code{utimes}, except that it takes an open file
 descriptor as an argument instead of a file name.  @xref{Low-Level
 I/O}.  This function comes from FreeBSD, and is not available on all
@@ -2867,6 +3023,8 @@ succeed, without actually accomplishing anything.
 @comment unistd.h
 @comment X/Open
 @deftypefun int truncate (const char *@var{filename}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a truncate syscall, we use open and ftruncate.
 
 The @code{truncate} function changes the size of @var{filename} to
 @var{length}.  If @var{length} is shorter than the previous length, data
@@ -2911,6 +3069,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int truncate64 (const char *@var{name}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try truncate if length fits.
 This function is similar to the @code{truncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines, which allows the handling of files with sizes up to
@@ -2924,6 +3084,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX
 @deftypefun int ftruncate (int @var{fd}, off_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This is like @code{truncate}, but it works on a file descriptor @var{fd}
 for an opened file instead of a file name to identify the object.  The
@@ -2988,6 +3149,8 @@ The operation was interrupted by a signal.
 @comment unistd.h
 @comment Unix98
 @deftypefun int ftruncate64 (int @var{id}, off64_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c In the absence of a syscall, try ftruncate if length fits.
 This function is similar to the @code{ftruncate} function.  The
 difference is that the @var{length} argument is 64 bits wide even on 32
 bits machines which allows the handling of files with sizes up to
@@ -3050,6 +3213,10 @@ The prototype for @code{mknod} is declared in @file{sys/stat.h}.
 @comment sys/stat.h
 @comment BSD
 @deftypefun int mknod (const char *@var{filename}, mode_t @var{mode}, dev_t @var{dev})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Instead of issuing the syscall directly, we go through xmknod.
+@c Although the internal xmknod takes a dev_t*, that could lead to
+@c xguargs races, it's passed a pointer to mknod's dev.
 The @code{mknod} function makes a special file with name @var{filename}.
 The @var{mode} specifies the mode of the file, and may include the various
 special file bits, such as @code{S_IFCHR} (for a character special file)
@@ -3101,6 +3268,20 @@ These facilities are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} tmpfile (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c The unsafety issues are those of fdopen, plus fdleak because of the
+@c open.
+@c __path_search (internal buf, !dir, const pfx, !try_tmpdir) ok
+@c  libc_secure_genenv only if try_tmpdir
+@c  xstat64, strlen, strcmp, sprintf
+@c __gen_tempname (internal tmpl, __GT_FILE) ok
+@c  strlen, memcmp, getpid, open/mkdir/lxstat64 ok
+@c  HP_TIMING_NOW if available ok
+@c  gettimeofday (!tz) first time, or every time if no HP_TIMING_NOW ok
+@c  static value is used and modified without synchronization ok
+@c   but the use is as a source of non-cryptographic randomness
+@c   with retries in case of collision, so it should be safe
+@c unlink, fdopen
 This function creates a temporary binary file for update mode, as if by
 calling @code{fopen} with mode @code{"wb+"}.  The file is deleted
 automatically when it is closed or when the program terminates.  (On
@@ -3117,6 +3298,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} tmpfile64 (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{tmpfile}, but the stream it returns a
 pointer to was opened using @code{tmpfile64}.  Therefore this stream can
 be used for files larger then @math{2^31} bytes on 32-bit machines.
@@ -3132,6 +3314,11 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} tmpnam (char *@var{result})
+@safety{@mtunsafe{xguargs, staticbuf}@asunsafe{staticbuf}@acsafe{}}
+@c The passed-in buffer should not be modified concurrently with the
+@c call.
+@c __path_search (static or passed-in buf, !dir, !pfx, !try_tmpdir) ok
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
 This function constructs and returns a valid file name that does not
 refer to any existing file.  If the @var{result} argument is a null
 pointer, the return value is a pointer to an internal static string,
@@ -3156,6 +3343,7 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} tmpnam_r (char *@var{result})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 This function is nearly identical to the @code{tmpnam} function, except
 that if @var{result} is a null pointer it returns a null pointer.
 
@@ -3192,6 +3380,13 @@ never less than @code{25}.
 @comment stdio.h
 @comment SVID
 @deftypefun {char *} tempnam (const char *@var{dir}, const char *@var{prefix})
+@safety{@mtunsafe{xguargs, envromt}@assafe{asmalloc}@acsafe{memleak}}
+@c There's no way (short of being setuid) to avoid getenv("TMPDIR"),
+@c even with a non-NULL dir, which makes this thread-unsafe.
+@c
+@c __path_search (internal buf, dir, pfx, try_tmpdir) unsafe getenv
+@c __gen_tempname (internal tmpl, __GT_NOCREATE) ok
+@c strdup
 This function generates a unique temporary file name.  If @var{prefix}
 is not a null pointer, up to five characters of this string are used as
 a prefix for the file name.  The return value is a string newly
@@ -3255,6 +3450,8 @@ string.  These functions are declared in the header file @file{stdlib.h}.
 @comment stdlib.h
 @comment Unix
 @deftypefun {char *} mktemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_NOCREATE) ok
 The @code{mktemp} function generates a unique file name by modifying
 @var{template} as described above.  If successful, it returns
 @var{template} as modified.  If @code{mktemp} cannot find a unique file
@@ -3273,6 +3470,8 @@ opening the file you should use the @code{O_EXCL} flag.  Using
 @comment stdlib.h
 @comment BSD
 @deftypefun int mkstemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{fdleak}}
+@c __gen_tempname (caller tmpl, __GT_FILE) ok
 The @code{mkstemp} function generates a unique file name just as
 @code{mktemp} does, but it also opens the file for you with @code{open}
 (@pxref{Opening and Closing Files}).  If successful, it modifies
@@ -3295,6 +3494,8 @@ new file and get an error if the file already exists.
 @comment stdlib.h
 @comment BSD
 @deftypefun {char *} mkdtemp (char *@var{template})
+@safety{@mtunsafe{xguargs}@assafe{}@acsafe{}}
+@c __gen_tempname (caller tmpl, __GT_DIR) ok
 The @code{mkdtemp} function creates a directory with a unique name.  If
 it succeeds, it overwrites @var{template} with the name of the
 directory, and returns @var{template}.  As with @code{mktemp} and
@@ -3316,3 +3517,23 @@ creation always works like @code{open} with @code{O_EXCL}.
 @xref{Creating Directories}.
 
 The @code{mkdtemp} function comes from OpenBSD.
+
+@c FIXME these are undocumented:
+@c faccessat
+@c fchmodat
+@c fchownat
+@c futimesat
+@c fstatat
+@c linkat
+@c mkdirat
+@c mkfifoat
+@c name_to_handle_at
+@c openat
+@c open_by_handle_at
+@c readlinkat
+@c renameat
+@c scandirat
+@c symlinkat
+@c unlinkat
+@c utimensat
+@c mknodat
diff --git a/manual/getopt.texi b/manual/getopt.texi
index f0b7283..3c1f4de 100644
--- a/manual/getopt.texi
+++ b/manual/getopt.texi
@@ -60,6 +60,31 @@ option argument, for those options that accept arguments.
 @comment unistd.h
 @comment POSIX.2
 @deftypefun int getopt (int @var{argc}, char *const *@var{argv}, const char *@var{options})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c It may swap argv elements but argv is not guarded, and the
+@c modifications may be partial in case of cancellation.  Calling getenv
+@c also brings about thread-safety issues out of access and returning
+@c pointers into the globally shared environment array, just like
+@c calling gettext brings about a whole lot of AS and AC safety issues.
+@c The getopt API involves returning values in the non-thread-specific
+@c optarg variable, which adds another thread-safety issue.  Given
+@c print_errors, it may output errors to stderr, which may
+@c self-deadlock, leak locks, or encounter (in a signal handler) or
+@c leave (in case of cancellation) stderr in an inconsistent state.
+@c Various implicit, indirect uses of malloc, in uses of memstream and
+@c asprintf for error-printing, bring about the usual malloc issues.
+@c (The explicit use of malloc in a conditional situation in
+@c _getopt_initialize is never exercised in glibc.)
+@c
+@c _getopt_internal
+@c  _getopt_internal_r
+@c   gettext
+@c   _getopt_initialize
+@c    getenv
+@c    malloc if USE_NONOPTION_FLAGS, never defined in libc
+@c   open_memstream
+@c   lockfile, unlockfile, __fxprintf -> stderr
+@c   asprintf
 The @code{getopt} function gets the next option argument from the
 argument list specified by the @var{argv} and @var{argc} arguments.
 Normally these values come directly from the arguments received by
@@ -225,6 +250,8 @@ was seen.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 Decode options from the vector @var{argv} (whose length is @var{argc}).
 The argument @var{shortopts} describes the short options to accept, just as
 it does in @code{getopt}.  The argument @var{longopts} describes the long
@@ -278,6 +305,8 @@ getopt functionality there is one more function available.
 @comment getopt.h
 @comment GNU
 @deftypefun int getopt_long_only (int @var{argc}, char *const *@var{argv}, const char *@var{shortopts}, const struct option *@var{longopts}, int *@var{indexptr})
+@safety{@mtunsafe{xguargs, envromt, staticbuf}@asunsafe{asmalloc, asi18n, selfdeadlock, asynconsist}@acunsafe{memleak, lockleak, incansist}}
+@c Same issues as getopt.
 
 The @code{getopt_long_only} function is equivalent to the
 @code{getopt_long} function but it allows to specify the user of the
diff --git a/manual/intro.texi b/manual/intro.texi
index 2630a77..e47832c 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -262,6 +262,28 @@ if the effective thread-local locale is not the global locale object
 @code{setlocale} should not be called while these functions are active.
 
 
+@item @code{envromt}
+@cindex envromt
+
+Functions marked with @code{envromt} access the environment with
+@code{getenv} or similar, requiring the environment to be effectively
+read-only for MT-Safe operation.
+
+Environment-modifying functions do not protect in any way against
+concurrent modifications or access, so calling @code{envromt}-marked
+functions concurrently with @code{setenv}, @code{putenv},
+@code{unsetenv} or direct modifications of the global environment data
+structures is ill-advised; external concurrency control must be
+introduced by callers of these environment-modifying and
+@code{envromt}-marked functions.
+
+Functions that modify the environment are also marked with
+@code{envromt}, but they are not MT-Safe for the reasons above.  Since
+all environment-modifying functions are MT-Unsafe, functions that only
+access the environment are marked as MT-Safe when no other safety issue
+applies.
+
+
 @item @code{uunguard}
 @cindex uunguard
 
@@ -291,6 +313,42 @@ AS-Safe behavior, callers must ensure that the objects passed in are not
 modified concurrently by other threads or signal handlers.
 
 
+@item @code{tempchwd}
+@cindex tempchwd
+
+Functions marked with @code{tempchwd} may temporarily change the current
+working directory during their execution, which may cause relative
+pathnames to be resolved in unexpected ways in other threads or within
+asynchronous signal or cancellation handlers.
+
+This is not enough of a reason to mark so-marked functions as MT-Unsafe,
+but when this behavior is optional (e.g., @code{nftw} with
+@code{FTW_CHDIR}), avoiding the option in multi-threaded programs may be
+a good alternative to using full pathnames or file descriptor-relative
+(e.g. @code{openat}) system calls.
+
+
+@item @code{tempterm}
+@cindex tempterm
+
+Functions marked with @code{tempterm} may temporarily change the
+terminal settings.
+
+This would not be enough of a reason to mark so-marked functions as
+MT-Unsafe, but the recommended mode to modify terminal settings is to
+call @code{tcgetattr}, modify some flags, and then call
+@code{tcsetattr}.  Functions marked with @code{tempterm} do that, so
+they leave a window in which changes made by other threads are lost.
+
+It is thus advisable for applications using the terminal to avoid
+concurrent interactions with it, more so if they expect different
+terminal modes.
+
+If this mark appears as an AC-Safety note, it means the function may
+also fail to restore the original terminal mode in case of asynchronous
+cancellation.
+
+
 @end itemize
 
 
@@ -305,11 +363,37 @@ as follows:
 
 Functions annotated with @code{staticbuf} use internal static buffers or
 variables in ways that may cause concurrent calls to interfere
-destructively.
+destructively.  
 
 These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
 offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
 
+In many of these cases, the static buffer is only used to hold a return
+value; in a few of these, such as @code{tmpnam}, the use of the internal
+buffer can be avoided by passing the buffer as an argument, which makes
+the call MT-Safe and AS-Safe.
+
+
+@item @code{asi18n}
+@cindex asi18n
+
+Functions marked with @code{asi18n} use internationalization functions
+(@code{gettext}), which brings in a number of dependencies and issues
+yet to be documented.
+
+
+@item @code{shlimb}
+@cindex shlimb
+
+Functions marked with @code{shlimb} use the dynamic loader to bring in
+additional code modules.  This involves opening files, mapping them into
+memory, allocating additional memory, resolving symbols, applying
+relocations and more, all of this while holding the dynamic loader
+lock.  
+
+The non-recursive lock itself is enough for the function to be AS- and
+AC-Unsafe, but many other issues may arise.
+
 
 @item @code{fdleak}
 @cindex fdleak
@@ -390,9 +474,8 @@ For the reasons above, functions that leak locks are all AC-Unsafe.
 Functions marked with @code{selfdeadlock} take a non-recursive lock to
 ensure MT-Safety while modifying data structures guarded by the lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the result is a deadlock.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, the result is a deadlock.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid a deadlock if any signal handler might need
@@ -406,10 +489,9 @@ Functions marked with @code{asynconsist} take a recursive lock to ensure
 MT-Safety while accessing or modifying data structures guarded by the
 lock.
 
-If such a function is interrupted by a signal while holding the lock,
-and the signal handler calls any function that takes the same
-non-recursive lock, the latter function may observe a partially updated,
-inconsistent data structure, and misbehave.
+If such a function is called by a signal handler that interrupted
+another such function that took the lock, both may misbehave for
+observing inconsistent (partially updated or cached) data structures.
 
 Blocking asynchronous signal delivery while calling such functions is
 the only safe way to avoid the misbehavior that may ensue if any signal
@@ -444,6 +526,21 @@ Disabling asynchronous cancelation while calling such functions is the
 only safe way to avoid the misbehavior that may ensure if the thread is
 canceled while the function is running.
 
+@c A special case, probably not worth documenting separately, involves
+@c reallocing, or even freeing pointers.  Any case involving free could
+@c be easily turned into an ac-safe memleak by resetting the pointer
+@c before releasing it; I don't think we have any case that calls for
+@c this sort of fixing.  Fixing the realloc cases would require a new
+@c interface: instead of @code{ptr=realloc(ptr,size)} we'd have to
+@c introduce @code{acsafe_realloc(&ptr,size)} that would modify ptr
+@c before releasing the old memory.  The ac-unsafe realloc could be
+@c implemented in terms of an internal interface with this semantics
+@c (say __acsafe_realloc), but since realloc can be overridden, the
+@c function we call to implement realloc should not be this internal
+@c interface, but another internal interface that calls __acsafe_realloc
+@c if realloc was not overridden, and calls the overridden realloc with
+@c async cancel disabled.  --lxoliva
+
 
 @item @code{simfpu}
 @cindex simfpu
diff --git a/manual/job.texi b/manual/job.texi
index 4efeed3..779ea96 100644
--- a/manual/job.texi
+++ b/manual/job.texi
@@ -1039,6 +1039,10 @@ The function @code{ctermid} is declared in the header file
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {char *} ctermid (char *@var{string})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This function is a stub by default; the actual implementation, for
+@c posix systems, returns an internal buffer if passed a NULL string,
+@c but the internal buffer is always set to /dev/tty.
 The @code{ctermid} function returns a string containing the file name of
 the controlling terminal for the current process.  If @var{string} is
 not a null pointer, it should be an array that can hold at least
@@ -1075,6 +1079,11 @@ Your program should include the header files @file{sys/types.h} and
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t setsid (void)
+@safety{@mtsafe{}@assafe{selfdeadlock (hurd)}@acsafe{lockleak (hurd)}}
+@c This is usually a direct syscall, but if a syscall is not available,
+@c we use a stub, or Hurd- and BSD-specific implementations.  The former
+@c uses a mutex and a hurd critical section, and the latter issues a few
+@c syscalls, so both seem safe, except for the locking on Hurd.
 The @code{setsid} function creates a new session.  The calling process
 becomes the session leader, and is put in a new process group whose
 process group ID is the same as the process ID of that process.  There
@@ -1098,7 +1107,8 @@ already another process group around that has the same process group ID.
 @comment unistd.h
 @comment SVID
 @deftypefun pid_t getsid (pid_t @var{pid})
-
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{getsid} function returns the process group ID of the session
 leader of the specified process.  If a @var{pid} is @code{0}, the
 process group ID of the session leader of the current process is
@@ -1134,6 +1144,8 @@ programs with the @code{-lbsd-compat} option to get the BSD definition.@refill
 @comment unistd.h
 @comment POSIX.1
 @deftypefn {POSIX.1 Function} pid_t getpgrp (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The POSIX.1 definition of @code{getpgrp} returns the process group ID of
 the calling process.
 @end deftypefn
@@ -1141,6 +1153,8 @@ the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefn {BSD Function} pid_t getpgrp (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Wrapper for getpgid.
 The BSD definition of @code{getpgrp} returns the process group ID of the
 process @var{pid}.  You can supply a value of @code{0} for the @var{pid}
 argument to get information about the calling process.
@@ -1149,6 +1163,8 @@ argument to get information about the calling process.
 @comment unistd.h
 @comment SVID
 @deftypefn {System V Function} int getpgid (pid_t @var{pid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 
 @code{getpgid} is the same as the BSD function @code{getpgrp}.  It
 returns the process group ID of the process @var{pid}.  You can supply a
@@ -1171,6 +1187,8 @@ process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int setpgid (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub or direct syscall, except on hurd, where it is equally safe.
 The @code{setpgid} function puts the process @var{pid} into the process
 group @var{pgid}.  As a special case, either @var{pid} or @var{pgid} can
 be zero to indicate the process ID of the calling process.
@@ -1208,6 +1226,8 @@ process or a child of the calling process.
 @comment unistd.h
 @comment BSD
 @deftypefun int setpgrp (pid_t @var{pid}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall or setpgid wrapper.
 This is the BSD Unix name for @code{setpgid}.  Both functions do exactly
 the same thing.
 @end deftypefun
@@ -1230,6 +1250,8 @@ file itself and not a particular open file descriptor.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun pid_t tcgetpgrp (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function returns the process group ID of the foreground process
 group associated with the terminal open on descriptor @var{filedes}.
 
@@ -1258,6 +1280,8 @@ controlling terminal of the calling process.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int tcsetpgrp (int @var{filedes}, pid_t @var{pgid})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Stub, or ioctl on BSD and GNU/Linux.
 This function is used to set a terminal's foreground process group ID.
 The argument @var{filedes} is a descriptor which specifies the terminal;
 @var{pgid} specifies the process group.  The calling process must be a
@@ -1297,6 +1321,8 @@ process.
 @comment termios.h
 @comment Unix98
 @deftypefun pid_t tcgetsid (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Ioctl call, if avaialble, or tcgetpgrp followed by getsid.
 This function is used to obtain the process group ID of the session
 for which the terminal specified by @var{fildes} is the controlling terminal.
 If the call is successful the group ID is returned.  Otherwise the
diff --git a/manual/lang.texi b/manual/lang.texi
index ee04e23..d6cd90c 100644
--- a/manual/lang.texi
+++ b/manual/lang.texi
@@ -51,6 +51,8 @@ without indicating anything might be wrong.
 @comment assert.h
 @comment ISO
 @deftypefn Macro void assert (int @var{expression})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Verify the programmer's belief that @var{expression} is nonzero at
 this point in the program.
 
@@ -91,6 +93,8 @@ The @code{assert_perror} macro makes this easy.
 @comment assert.h
 @comment GNU
 @deftypefn Macro void assert_perror (int @var{errnum})
+@safety{@mtsafe{}@asunsafe{asmalloc, asynconsist}@acsafe{memleak, lockleak, incansist}}
+@c assert_fail_base calls asprintf, and fflushes stderr.
 Similar to @code{assert}, but verifies that @var{errnum} is zero.
 
 If @code{NDEBUG} is not defined, @code{assert_perror} tests the value of
@@ -423,6 +427,8 @@ The type @code{va_list} is used for argument pointer variables.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_start (va_list @var{ap}, @var{last-required})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This macro initializes the argument pointer variable @var{ap} to point
 to the first of the optional arguments of the current function;
 @var{last-required} must be the last required argument to the function.
@@ -431,6 +437,8 @@ to the first of the optional arguments of the current function;
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} @var{type} va_arg (va_list @var{ap}, @var{type})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_arg} macro returns the value of the next optional argument,
 and modifies the value of @var{ap} to point to the subsequent argument.
 Thus, successive uses of @code{va_arg} return successive optional
@@ -445,6 +453,8 @@ of the actual argument.
 @comment stdarg.h
 @comment ISO
 @deftypefn {Macro} void va_end (va_list @var{ap})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This ends the use of @var{ap}.  After a @code{va_end} call, further
 @code{va_arg} calls with the same @var{ap} may not work.  You should invoke
 @code{va_end} before returning from the function in which @code{va_start}
@@ -466,6 +476,8 @@ of the same type.
 @comment ISO
 @deftypefn {Macro} void va_copy (va_list @var{dest}, va_list @var{src})
 @deftypefnx {Macro} void __va_copy (va_list @var{dest}, va_list @var{src})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 The @code{va_copy} macro allows copying of objects of type
 @code{va_list} even if this is not an integral type.  The argument pointer
 in @var{dest} is initialized to point to the same argument as the
@@ -1212,6 +1224,8 @@ type of a particular structure member.
 @comment stddef.h
 @comment ISO
 @deftypefn {Macro} size_t offsetof (@var{type}, @var{member})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is no longer provided by glibc, but rather by the compiler.
 This expands to a integer constant expression that is the offset of the
 structure member named @var{member} in the structure type @var{type}.
 For example, @code{offsetof (struct s, elem)} is the offset, in bytes,
diff --git a/manual/libdl.texi b/manual/libdl.texi
new file mode 100644
index 0000000..e3fe045
--- /dev/null
+++ b/manual/libdl.texi
@@ -0,0 +1,10 @@
+@c FIXME these are undocumented:
+@c dladdr
+@c dladdr1
+@c dlclose
+@c dlerror
+@c dlinfo
+@c dlmopen
+@c dlopen
+@c dlsym
+@c dlvsym
diff --git a/manual/llio.texi b/manual/llio.texi
index b129cf4..66370c4 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -78,6 +78,7 @@ declared in @file{unistd.h}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int open (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The @code{open} function creates and returns a new file descriptor for
 the file named by @var{filename}.  Initially, the file position
 indicator for the file is at the beginning of the file.  The argument
@@ -164,6 +165,7 @@ and @code{freopen} functions, that create streams.
 @comment fcntl.h
 @comment Unix98
 @deftypefun int open64 (const char *@var{filename}, int @var{flags}[, mode_t @var{mode}])
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{open}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 difference is that on 32 bit systems the file is opened in the
@@ -178,6 +180,7 @@ replaces the old API.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefn {Obsolete function} int creat (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is obsolete.  The call:
 
 @smallexample
@@ -202,6 +205,7 @@ since all of the lowlevel file handling functions are equally replaced.
 @comment fcntl.h
 @comment Unix98
 @deftypefn {Obsolete function} int creat64 (const char *@var{filename}, mode_t @var{mode})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 This function is similar to @code{creat}.  It returns a file descriptor
 which can be used to access the file named by @var{filename}.  The only
 the difference is that on 32 bit systems the file is opened in the
@@ -219,6 +223,7 @@ replaces the old API.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int close (int @var{filedes})
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
 The function @code{close} closes the file descriptor @var{filedes}.
 Closing a file has the following consequences:
 
@@ -300,6 +305,7 @@ but must be a signed type.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t read (int @var{filedes}, void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{read} function reads up to @var{size} bytes from the file
 with descriptor @var{filedes}, storing the results in the @var{buffer}.
 (This is not necessarily a character string, and no terminating null
@@ -395,6 +401,10 @@ functions that read from streams, such as @code{fgetc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, read and lseek back, but is it
+@c used anywhere?
 The @code{pread} function is similar to the @code{read} function.  The
 first three arguments are identical, and the return values and error
 codes also correspond.
@@ -430,6 +440,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pread64 (int @var{filedes}, void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, read and lseek64 back, but is
+@c it used anywhere?
 This function is similar to the @code{pread} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -447,6 +461,7 @@ When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} on a
 @comment unistd.h
 @comment POSIX.1
 @deftypefun ssize_t write (int @var{filedes}, const void *@var{buffer}, size_t @var{size})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{write} function writes up to @var{size} bytes from
 @var{buffer} to the file with descriptor @var{filedes}.  The data in
 @var{buffer} is not necessarily a character string and a null character is
@@ -557,6 +572,10 @@ functions that write to streams, such as @code{fputc}.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek, write and lseek back, but is it
+@c used anywhere?
 The @code{pwrite} function is similar to the @code{write} function.  The
 first three arguments are identical, and the return values and error codes
 also correspond.
@@ -592,6 +611,10 @@ version 2.
 @comment unistd.h
 @comment Unix98
 @deftypefun ssize_t pwrite64 (int @var{filedes}, const void *@var{buffer}, size_t @var{size}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c This is usually a safe syscall.  The sysdeps/posix fallback emulation
+@c is not MT-Safe because it uses lseek64, write and lseek64 back, but
+@c is it used anywhere?
 This function is similar to the @code{pwrite} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -624,6 +647,7 @@ To read the current file position value from a descriptor, use
 @comment unistd.h
 @comment POSIX.1
 @deftypefun off_t lseek (int @var{filedes}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lseek} function is used to change the file position of the
 file with descriptor @var{filedes}.
 
@@ -713,6 +737,7 @@ descriptors.
 @comment unistd.h
 @comment Unix98
 @deftypefun off64_t lseek64 (int @var{filedes}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to the @code{lseek} function.  The difference
 is that the @var{offset} parameter is of type @code{off64_t} instead of
 @code{off_t} which makes it possible on 32 bit machines to address
@@ -825,6 +850,7 @@ declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun {FILE *} fdopen (int @var{filedes}, const char *@var{opentype})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 The @code{fdopen} function returns a new stream for the file descriptor
 @var{filedes}.
 
@@ -853,6 +879,7 @@ see @ref{Creating a Pipe}.
 @comment stdio.h
 @comment POSIX.1
 @deftypefun int fileno (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the file descriptor associated with the stream
 @var{stream}.  If an error is detected (for example, if the @var{stream}
 is not valid) or if @var{stream} does not do I/O to a file,
@@ -862,6 +889,7 @@ is not valid) or if @var{stream} does not do I/O to a file,
 @comment stdio.h
 @comment GNU
 @deftypefun int fileno_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fileno_unlocked} function is equivalent to the @code{fileno}
 function except that it does not implicitly lock the stream if the state
 is @code{FSETLOCKING_INTERNAL}.
@@ -1071,7 +1099,11 @@ Contains the length of the buffer.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t readv (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
-
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer into which data is read, if the total read size is
+@c too large for alloca.
 The @code{readv} function reads data from @var{filedes} and scatters it
 into the buffers described in @var{vector}, which is taken to be
 @var{count} structures long.  As each buffer is filled, data is sent to the
@@ -1089,6 +1121,11 @@ errors are the same as in @code{read}.
 @comment sys/uio.h
 @comment BSD
 @deftypefun ssize_t writev (int @var{filedes}, const struct iovec *@var{vector}, int @var{count})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@c The fallback sysdeps/posix implementation, used even on GNU/Linux
+@c with old kernels that lack a full readv/writev implementation, may
+@c malloc the buffer from which data is written, if the total write size
+@c is too large for alloca.
 
 The @code{writev} function gathers data from the buffers described in
 @var{vector}, which is taken to be @var{count} structures long, and writes
@@ -1149,6 +1186,7 @@ These functions are declared in @file{sys/mman.h}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun {void *} mmap (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{mmap} function creates a new mapping, connected to bytes
 (@var{offset}) to (@var{offset} + @var{length} - 1) in the file open on
@@ -1268,6 +1306,9 @@ The file is on a filesystem that doesn't support mapping.
 @comment sys/mman.h
 @comment LFS
 @deftypefun {void *} mmap64 (void *@var{address}, size_t @var{length}, int @var{protect}, int @var{flags}, int @var{filedes}, off64_t @var{offset})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The page_shift auto detection when MMAP2_PAGE_SHIFT is -1 (it never
+@c is) would be thread-unsafe.
 The @code{mmap64} function is equivalent to the @code{mmap} function but
 the @var{offset} parameter is of type @code{off64_t}.  On 32-bit systems
 this allows the file associated with the @var{filedes} descriptor to be
@@ -1284,6 +1325,7 @@ replaces the old API.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int munmap (void *@var{addr}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 @code{munmap} removes any memory maps from (@var{addr}) to (@var{addr} +
 @var{length}).  @var{length} should be the length of the mapping.
@@ -1310,6 +1352,7 @@ aligned.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int msync (void *@var{address}, size_t @var{length}, int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 When using shared mappings, the kernel can write the file at any time
 before the mapping is removed.  To be certain data has actually been
@@ -1357,6 +1400,7 @@ There is no existing mapping in at least part of the given region.
 @comment sys/mman.h
 @comment GNU
 @deftypefun {void *} mremap (void *@var{address}, size_t @var{length}, size_t @var{new_length}, int @var{flag})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to change the size of an existing memory
 area. @var{address} and @var{length} must cover a region entirely mapped
@@ -1405,6 +1449,7 @@ Coding Standards}.
 @comment sys/mman.h
 @comment POSIX
 @deftypefun int madvise (void *@var{addr}, size_t @var{length}, int @var{advice})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 This function can be used to provide the system with @var{advice} about
 the intended usage patterns of the memory region starting at @var{addr}
@@ -1531,6 +1576,7 @@ that descriptor into an @code{fd_set}.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_ZERO (fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro initializes the file descriptor set @var{set} to be the
 empty set.
 @end deftypefn
@@ -1538,6 +1584,9 @@ empty set.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_SET (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro adds @var{filedes} to the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1547,6 +1596,9 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro void FD_CLR (int @var{filedes}, fd_set *@var{set})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Setting a bit isn't necessarily atomic, so there's a potential race
+@c here if set is not used exclusively.
 This macro removes @var{filedes} from the file descriptor set @var{set}.
 
 The @var{filedes} parameter must not have side effects since it is
@@ -1556,6 +1608,7 @@ evaluated more than once.
 @comment sys/types.h
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, const fd_set *@var{set})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro returns a nonzero value (true) if @var{filedes} is a member
 of the file descriptor set @var{set}, and zero (false) otherwise.
 
@@ -1568,6 +1621,10 @@ Next, here is the description of the @code{select} function itself.
 @comment sys/types.h
 @comment BSD
 @deftypefun int select (int @var{nfds}, fd_set *@var{read-fds}, fd_set *@var{write-fds}, fd_set *@var{except-fds}, struct timeval *@var{timeout})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c The select syscall is preferred, but pselect6 may be used instead,
+@c which requires converting timeout to a timespec and back.  The
+@c conversions are not atomic.
 The @code{select} function blocks the calling process until there is
 activity on any of the specified sets of file descriptors, or until the
 timeout period has expired.
@@ -1670,6 +1727,7 @@ they return.
 @comment unistd.h
 @comment X/Open
 @deftypefun void sync (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 A call to this function will not return as long as there is data which
 has not been written to the device.  All dirty buffers in the kernel will
 be written and so an overall consistent system can be achieved (if no
@@ -1685,6 +1743,7 @@ committed, rather than all data in the system.  For this, @code{sync} is overkil
 @comment unistd.h
 @comment POSIX
 @deftypefun int fsync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fsync} function can be used to make sure all data associated with
 the open file @var{fildes} is written to the device associated with the
 descriptor.  The function call does not return unless all actions have
@@ -1722,6 +1781,7 @@ recovering of the file in case of a problem.
 @comment unistd.h
 @comment POSIX
 @deftypefun int fdatasync (int @var{fildes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 When a call to the @code{fdatasync} function returns, it is ensured
 that all of the file data is written to the device.  For all pending I/O
 operations, the parts guaranteeing data integrity finished.
@@ -1923,6 +1983,158 @@ aiocb64}, since the LFS transparently replaces the old interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_read (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Calls aio_enqueue_request.
+@c aio_enqueue_request selfdeadlock, asmalloc, lockleak, memleak
+@c  pthread_self ok
+@c  pthread_getschedparam selfdeadlock, lockleak
+@c   lll_lock (pthread descriptor's lock) selfdeadlock, lockleak
+@c   sched_getparam ok
+@c   sched_getscheduler ok
+@c   lll_unlock lockleak
+@c  pthread_mutex_lock (aio_requests_mutex) selfdeadlock, lockleak
+@c  get_elem asmalloc, memleak, [asynconsist, incansist], [xguargs]
+@c   realloc asmalloc, memleak
+@c   calloc asmalloc, memleak
+@c  aio_create_helper_thread selfdeadlock, asmalloc, lockleak, memleak
+@c   pthread_attr_init ok
+@c   pthread_attr_setdetachstate ok
+@c   pthread_get_minstack ok
+@c   pthread_attr_setstacksize ok
+@c   sigfillset ok
+@c    memset ok
+@c    sigdelset ok [xguargs, but the caller's sigset is automatic]
+@c   SYSCALL rt_sigprocmask ok
+@c   pthread_create selfdeadlock, asmalloc, lockleak, memleak
+@c    lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c    alloca/malloc asmalloc, memleak
+@c    lll_unlock lockleak
+@c    allocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     getpagesize dup
+@c     lll_lock (default_pthread_attr_lock) selfdeadlock, lockleak
+@c     lll_unlock lockleak
+@c     _dl_allocate_tls asmalloc, memleak
+@c      _dl_allocate_tls_storage asmalloc, memleak
+@c       memalign asmalloc, memleak
+@c       memset ok
+@c       allocate_dtv dup
+@c       free asmalloc, memleak
+@c      allocate_dtv asmalloc, memleak
+@c       calloc asmalloc, memleak
+@c       INSTALL_DTV ok
+@c     list_add dup
+@c     get_cached_stack
+@c      lll_lock (stack_cache_lock) selfdeadlock, lockleak
+@c      list_for_each ok
+@c      list_entry dup
+@c      FREE_P dup
+@c      stack_list_del dup
+@c      stack_list_add dup
+@c      lll_unlock lockleak
+@c      _dl_allocate_tls_init ok
+@c       GET_DTV ok
+@c     mmap ok
+@c     atomic_increment_val ok
+@c     munmap ok
+@c     change_stack_perm ok
+@c      mprotect ok
+@c     mprotect ok
+@c     stack_list_del dup
+@c     _dl_deallocate_tls dup
+@c     munmap ok
+@c    THREAD_COPY_STACK_GUARD ok
+@c    THREAD_COPY_POINTER_GUARD ok
+@c    atomic_exchange_acq ok
+@c    lll_futex_wake ok
+@c    deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_lock (state_cache_lock) selfdeadlock, lockleak
+@c     stack_list_del ok
+@c      atomic_write_barrier ok
+@c      list_del ok [uunguard]
+@c      atomic_write_barrier ok
+@c     queue_stack asmalloc, memleak
+@c      stack_list_add ok
+@c       atomic_write_barrier ok
+@c       list_add ok [uunguard]
+@c       atomic_write_barrier ok
+@c      free_stacks asmalloc, memleak
+@c       list_for_each_prev_safe ok
+@c       list_entry ok
+@c       FREE_P ok
+@c       stack_list_del dup
+@c       _dl_deallocate_tls dup
+@c       munmap ok
+@c     _dl_deallocate_tls asmalloc, memleak
+@c      free asmalloc, memleak
+@c     lll_unlock lockleak
+@c    create_thread selfdeadlock, asmalloc, lockleak, memleak
+@c     td_eventword
+@c     td_eventmask
+@c     do_clone selfdeadlock, asmalloc, lockleak, memleak
+@c      PREPARE_CREATE ok
+@c      lll_lock (pd->lock) selfdeadlock, lockleak
+@c      atomic_increment ok
+@c      clone ok
+@c      atomic_decrement ok
+@c      atomic_exchange_acq ok
+@c      lll_futex_wake ok
+@c      deallocate_stack dup
+@c      sched_setaffinity ok
+@c      tgkill ok
+@c      sched_setscheduler ok
+@c     atomic_compare_and_exchange_bool_acq ok
+@c     nptl_create_event ok
+@c     lll_unlock (pd->lock) lockleak
+@c    free asmalloc, memleak
+@c   pthread_attr_destroy ok (cpuset won't be set, so free isn't called)
+@c  add_request_to_runlist ok [xguargs]
+@c  pthread_cond_signal ok
+@c  aio_free_request ok [xguargs]
+@c  pthread_mutex_unlock lockleak
+
+@c (in the new thread, initiated with clone)
+@c    start_thread ok
+@c     HP_TIMING_NOW ok
+@c     ctype_init [glocale] (in theory, but optimized into safety)
+@c     atomic_exchange_acq ok
+@c     lll_futex_wake ok
+@c     sigemptyset ok
+@c     sigaddset ok
+@c     setjmp ok
+@c     CANCEL_ASYNC -> pthread_enable_asynccancel ok
+@c      do_cancel ok
+@c       pthread_unwind ok
+@c        Unwind_ForcedUnwind or longjmp ok [asmalloc, memleak?]
+@c     lll_lock selfdeadlock, lockleak
+@c     lll_unlock selfdeadlock, lockleak
+@c     CANCEL_RESET -> pthread_disable_asynccancel ok
+@c      lll_futex_wait ok
+@c     ->start_routine ok -----
+@c     call_tls_dtors selfdeadlock, asmalloc, lockleak, memleak
+@c      user-supplied dtor
+@c      rtld_lock_lock_recursive (dl_load_lock) selfdeadlock, lockleak
+@c      rtld_lock_unlock_recursive lockleak
+@c      free asmalloc, memleak
+@c     nptl_deallocate_tsd asmalloc, memleak
+@c      tsd user-supplied dtors ok
+@c      free asmalloc, memleak
+@c     libc_thread_freeres
+@c      libc_thread_subfreeres ok
+@c     atomic_decrement_and_test ok
+@c     td_eventword ok
+@c     td_eventmask ok
+@c     atomic_compare_exchange_bool_acq ok
+@c     nptl_death_event ok
+@c     lll_robust_dead ok
+@c     getpagesize ok
+@c     madvise ok
+@c     free_tcb selfdeadlock, asmalloc, lockleak, memleak
+@c      free asmalloc, memleak
+@c      deallocate_stack selfdeadlock, asmalloc, lockleak, memleak
+@c     lll_futex_wait ok
+@c     exit_thread_inline ok
+@c      syscall(exit) ok
+
 This function initiates an asynchronous read operation.  It
 immediately returns after the operation was enqueued or when an
 error was encountered.
@@ -1988,6 +2200,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_read64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_read} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{aio_read64} uses
@@ -2006,6 +2219,7 @@ of functions with a very similar interface.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_write (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function initiates an asynchronous write operation.  The function
 call immediately returns after the operation was enqueued or if before
 this happens an error was encountered.
@@ -2072,6 +2286,7 @@ replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_write64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{aio_write} function.  The only
 difference is that on @w{32 bit} machines the file descriptor should
 be opened in the large file mode.  Internally @code{aio_write64} uses
@@ -2093,6 +2308,12 @@ operations.  It is therefore similar to a combination of @code{readv} and
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int lio_listio (int @var{mode}, struct aiocb *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Call lio_listio_internal, that takes the aio_requests_mutex lock and
+@c enqueues each request.  Then, it waits for notification or prepares
+@c for it before releasing the lock.  Even though it performs memory
+@c allocation and locking of its own, it doesn't add any classes of
+@c safety issues that aren't already covered by aio_enqueue_request.
 The @code{lio_listio} function can be used to enqueue an arbitrary
 number of read and write requests at one time.  The requests can all be
 meant for the same file, all for different files or every solution in
@@ -2176,6 +2397,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int lio_listio64 (int @var{mode}, struct aiocb64 *const @var{list}[], int @var{nent}, struct sigevent *@var{sig})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to the @code{lio_listio} function.  The only
 difference is that on @w{32 bit} machines, the file descriptor should
 be opened in the large file mode.  Internally, @code{lio_listio64} uses
@@ -2204,6 +2426,7 @@ The following two functions allow you to get this kind of information.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_error (const struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function determines the error state of the request described by the
 @code{struct aiocb} variable pointed to by @var{aiocbp}.  If the
 request has not yet terminated the value returned is always
@@ -2225,6 +2448,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_error64 (const struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_error} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2238,6 +2462,7 @@ machines.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun ssize_t aio_return (struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function can be used to retrieve the return status of the operation
 carried out by the request described in the variable pointed to by
 @var{aiocbp}.  As long as the error status of this request as returned
@@ -2261,6 +2486,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun ssize_t aio_return64 (struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is similar to @code{aio_return} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2289,6 +2515,9 @@ if the symbol @code{_POSIX_SYNCHRONIZED_IO} is defined in @file{unistd.h}.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_fsync (int @var{op}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check that the FD is open, it calls
+@c aio_enqueue_request.
 Calling this function forces all I/O operations operating queued at the
 time of the function call operating on the file descriptor
 @code{aiocbp->aio_fildes} into the synchronized I/O completion state
@@ -2336,6 +2565,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_fsync64 (int @var{op}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_fsync} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2362,6 +2592,9 @@ before the current client is served.  For situations like this
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_suspend (const struct aiocb *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c Take aio_requests_mutex, set up waitlist and requestlist, wait
+@c for completion or timeout, and release the mutex.
 When calling this function, the calling thread is suspended until at
 least one of the requests pointed to by the @var{nent} elements of the
 array @var{list} has completed.  If any of the requests has already
@@ -2400,6 +2633,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_suspend64 (const struct aiocb64 *const @var{list}[], int @var{nent}, const struct timespec *@var{timeout})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
 This function is similar to @code{aio_suspend} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2427,6 +2661,16 @@ or not.  Therefore using this function is merely a hint.
 @comment aio.h
 @comment POSIX.1b
 @deftypefun int aio_cancel (int @var{fildes}, struct aiocb *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c After fcntl to check the fd is open, hold aio_requests_mutex, call
+@c aio_find_req_fd, aio_remove_request, then aio_notify and
+@c aio_free_request each request before releasing the lock.
+@c aio_notify calls aio_notify_only and free, besides cond signal or
+@c similar.  aio_notify_only calls pthread_attr_init,
+@c pthread_attr_setdetachstate, malloc, pthread_create,
+@c notify_func_wrapper, aio_sigqueue, getpid, raise.
+@c notify_func_wraper calls aio_start_notify_thread, free and then the
+@c notifier function.
 The @code{aio_cancel} function can be used to cancel one or more
 outstanding requests.  If the @var{aiocbp} parameter is @code{NULL}, the
 function tries to cancel all of the outstanding requests which would process
@@ -2474,6 +2718,7 @@ transparently replaces the normal implementation.
 @comment aio.h
 @comment Unix98
 @deftypefun int aio_cancel64 (int @var{fildes}, struct aiocb64 *@var{aiocbp})
+@safety{@mtsafe{}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
 This function is similar to @code{aio_cancel} with the only difference
 that the argument is a reference to a variable of type @code{struct
 aiocb64}.
@@ -2529,6 +2774,8 @@ Unused.
 @comment aio.h
 @comment GNU
 @deftypefun void aio_init (const struct aioinit *@var{init})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acunsafe{lockleak}}
+@c All changes to global objects are guarded by aio_requests_mutex.
 This function must be called before any other AIO function.  Calling it
 is completely voluntary, as it is only meant to help the AIO
 implementation perform better.
@@ -2563,6 +2810,7 @@ function; see @ref{Opening and Closing Files}.
 @comment fcntl.h
 @comment POSIX.1
 @deftypefun int fcntl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcntl} function performs the operation specified by
 @var{command} on the file descriptor @var{filedes}.  Some commands
 require additional arguments to be supplied.  These additional arguments
@@ -2645,6 +2893,7 @@ while prototypes for @code{dup} and @code{dup2} are in the header file
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup (int @var{old})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies descriptor @var{old} to the first available
 descriptor number (the first number not currently open).  It is
 equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
@@ -2653,6 +2902,7 @@ equivalent to @code{fcntl (@var{old}, F_DUPFD, 0)}.
 @comment unistd.h
 @comment POSIX.1
 @deftypefun int dup2 (int @var{old}, int @var{new})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function copies the descriptor @var{old} to descriptor number
 @var{new}.
 
@@ -3631,6 +3881,7 @@ different headers.
 @comment sys/ioctl.h
 @comment BSD
 @deftypefun int ioctl (int @var{filedes}, int @var{command}, @dots{})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 
 The @code{ioctl} function performs the generic I/O operation
 @var{command} on @var{filedes}.
@@ -3650,3 +3901,6 @@ unknown device.
 Most IOCTLs are OS-specific and/or only used in special system utilities,
 and are thus beyond the scope of this document.  For an example of the use
 of an IOCTL, see @ref{Out-of-Band Data}.
+
+@c FIXME this is undocumented:
+@c dup3
diff --git a/manual/locale.texi b/manual/locale.texi
index 323268d..da50d18 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,10 +224,16 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
-@safety{@mtunsafe{uunguard}}
-@c This function is MT-Safe, but uses of the global locale object are
-@c unguarded in functions that ought to be MT-Safe, so we're ruling out
-@c the use of this function once threads are started.
+@safety{@mtunsafe{uunguard, envromt}@asunsafe{selfdeadlock, asmalloc}@acunsafe{lockleak, memleak}}
+@c Uses of the global locale object are unguarded in functions that
+@c ought to be MT-Safe, so we're ruling out the use of this function
+@c once threads are started.  It takes a write lock itself, but it may
+@c return a pointer loaded from the global locale object after releasing
+@c the lock, or before taking it.  It calls getenv for LOCPATH, malloc
+@c and free, and _nl_find_locale, which amount to all documented safety
+@c issues.  It also calls new_composite_name, setdata, and setname,
+@c without any additional issues.  _nl_find_locale calls getenv, ...
+This function returns a pointer read 
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running
diff --git a/manual/resource.texi b/manual/resource.texi
index 1ec7af2..71b08f7 100644
--- a/manual/resource.texi
+++ b/manual/resource.texi
@@ -223,6 +223,8 @@ The symbols for use with @code{getrlimit}, @code{setrlimit},
 @comment sys/resource.h
 @comment BSD
 @deftypefun int getrlimit (int @var{resource}, struct rlimit *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems.
 Read the current and maximum limits for the resource @var{resource}
 and store them in @code{*@var{rlp}}.
 
@@ -237,6 +239,8 @@ LFS interface transparently replaces the old interface.
 @comment sys/resource.h
 @comment Unix98
 @deftypefun int getrlimit64 (int @var{resource}, struct rlimit64 *@var{rlp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Direct syscall on most systems, wrapper to the getrlimit otherwise.
 This function is similar to @code{getrlimit} but its second parameter is
 a pointer to a variable of type @code{struct rlimit64}, which allows it
 to read values which wouldn't fit in the member of a @code{struct
@@ -1516,6 +1520,9 @@ There is a much older interface available, too.
 @comment unistd.h
 @comment BSD
 @deftypefun int getpagesize (void)
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Obtained from the aux vec at program startup time.  GNU/Linux/m68k is
+@c the exception, with the possibility of a syscall.
 The @code{getpagesize} function returns the page size of the process.
 This value is fixed for the runtime of the process but can vary in
 different runs of the application.
@@ -1559,6 +1566,8 @@ get this information two functions.  They are declared in the file
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_phys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This fopens a /proc file and scans it for the requested information.
 The @code{get_phys_pages} function returns the total number of pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1569,6 +1578,7 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun {long int} get_avphys_pages (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
 The @code{get_phys_pages} function returns the number of available pages of
 physical the system has.  To get the amount of memory this number has to
 be multiplied by the page size.
@@ -1614,6 +1624,10 @@ in @file{sys/sysinfo.h}.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs_conf (void)
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, fdleak, memleak}}
+@c This function reads from from /sys using dir streams (single user, so
+@c no staticbuf MT-Safety issue), and on some arches, from /proc using
+@c streams.
 The @code{get_nprocs_conf} function returns the number of processors the
 operating system configured.
 
@@ -1623,6 +1637,8 @@ This function is a GNU extension.
 @comment sys/sysinfo.h
 @comment GNU
 @deftypefun int get_nprocs (void)
+@safety{@mtsafe{}@assafe{}@acsafe{fdleak}}
+@c This function reads from /proc using file descriptor I/O.
 The @code{get_nprocs} function returns the number of available processors.
 
 This function is a GNU extension.
diff --git a/manual/search.texi b/manual/search.texi
index efd3604..6910edc 100644
--- a/manual/search.texi
+++ b/manual/search.texi
@@ -146,6 +146,7 @@ To sort an array using an arbitrary comparison function, use the
 @comment stdlib.h
 @comment ISO
 @deftypefun void qsort (void *@var{array}, size_t @var{count}, size_t @var{size}, comparison_fn_t @var{compare})
+@safety{@mtsafe{xguargs}@assafe{asmalloc}@acsafe{memleak}}
 The @var{qsort} function sorts the array @var{array}.  The array contains
 @var{count} elements, each of which is of size @var{size}.
 
@@ -436,6 +437,11 @@ in the header file @file{search.h}.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tsearch (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
+@c The tree is not modified in a thread-safe manner, and rotations may
+@c leave the tree in an inconsistent state that could be observed in an
+@c asynchronous signal handler or after asynchronous cancellation of the
+@c thread performing the rotation or the insertion.
 The @code{tsearch} function searches in the tree pointed to by
 @code{*@var{rootp}} for an element matching @var{key}.  The function
 pointed to by @var{compar} is used to determine whether two elements
@@ -465,6 +471,7 @@ of space @code{NULL} is returned.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tfind (const void *@var{key}, void *const *@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
 The @code{tfind} function is similar to the @code{tsearch} function.  It
 locates an element matching the one pointed to by @var{key} and returns
 a pointer to this element.  But if no matching element is available no
@@ -479,6 +486,7 @@ elements.
 @comment search.h
 @comment SVID
 @deftypefun {void *} tdelete (const void *@var{key}, void **@var{rootp}, comparison_fn_t @var{compar})
+@safety{@mtunsafe{xguargs}@asunsafe{asynconsist, asmalloc}@acunsafe{incansist, memleak}}
 To remove a specific element matching @var{key} from the tree
 @code{tdelete} can be used.  It locates the matching element using the
 same method as @code{tfind}.  The corresponding element is then removed
@@ -492,6 +500,7 @@ is deleted @code{tdelete} returns some unspecified value not equal to
 @comment search.h
 @comment GNU
 @deftypefun void tdestroy (void *@var{vroot}, __free_fn_t @var{freefct})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 If the complete search tree has to be removed one can use
 @code{tdestroy}.  It frees all resources allocated by the @code{tsearch}
 function to generate the tree pointed to by @var{vroot}.
@@ -546,6 +555,7 @@ The current node is a leaf.
 @comment search.h
 @comment SVID
 @deftypefun void twalk (const void *@var{root}, __action_fn_t @var{action})
+@safety{@mtsafe{xguards}@assafe{}@acsafe{}}
 For each node in the tree with a node pointed to by @var{root}, the
 @code{twalk} function calls the function provided by the parameter
 @var{action}.  For leaf nodes the function is called exactly once with
diff --git a/manual/startup.texi b/manual/startup.texi
index a277714..7bbaf13 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -358,8 +358,8 @@ value is nonzero and @code{errno} is set to indicate the error.
 The difference to the @code{setenv} function is that the exact string
 given as the parameter @var{string} is put into the environment.  If the
 user should change the string after the @code{putenv} call this will
-reflect in automatically in the environment.  This also requires that
-@var{string} is no automatic variable which scope is left before the
+reflect automatically in the environment.  This also requires that
+@var{string} not be an automatic variable whose scope is left before the
 variable is removed from the environment.  The same applies of course to
 dynamically allocated variables which are freed later.
 
diff --git a/manual/stdio.texi b/manual/stdio.texi
index 7809dd4..79a3340 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,7 +148,7 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
 @c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
@@ -267,7 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -414,7 +414,7 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
 @c After fclose, it is undefined behavior to use the stream it points
 @c to.  Therefore, one must only call fclose when the stream is
 @c otherwise unused.  Concurrent uses started before will complete
@@ -2662,6 +2662,42 @@ pointer @var{ap}.
 @c case of cancellation.  This doesn't make it unsafe, but cancelling it
 @c may leak memory.  The unguarded use of __printf_function_table is
 @c also of concern for all callers.
+@c _itoa ok
+@c   _udiv_qrnnd_preinv ok
+@c group_number ok
+@c _i18n_number_rewrite
+@c   __wctrans ok
+@c   __towctrans glocale
+@c   __wcrtomb ok? dup below
+@c   outdigit_value ok
+@c   outdigitwc_value ok
+@c outchar ok
+@c outstring ok
+@c PAD ok
+@c __printf_fp glocale memleak
+@c __printf_fphex glocale
+@c __readonly_area
+@c   [GNU/Linux] fopen, strtoul, free
+@c __strerror_r ok if no translation, check otherwise
+@c __btowc ? gconv-modules
+@c __wcrtomb ok (not using internal state) gconv-modules
+@c ARGCHECK
+@c UNBUFFERED_P (tested before taking the stream lock)
+@c buffered_vfprintf ok
+@c __find_spec(wc|mb)
+@c read_int
+@c __libc_use_alloca
+@c process_arg
+@c process_string_arg
+@c extend_alloca
+@c __parse_one_spec(wc|mb)
+@c *__printf_arginfo_table unguarded
+@c __printf_va_arg_table-> unguarded
+@c *__printf_function_table unguarded
+@c done_add
+@c printf_unknown
+@c   outchar
+@c   _itoa_word
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -5020,7 +5056,7 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
 @c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
 @c bringing with it additional potential for async trouble with
 @c list_all_lock.
@@ -5076,7 +5112,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
-@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -5192,7 +5228,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
-@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
diff --git a/manual/string.texi b/manual/string.texi
index 246be84..a75d298 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1247,6 +1247,8 @@ strncmp ("hello, world", "hello, stupid world!!!", 5)
 @comment string.h
 @comment GNU
 @deftypefun int strverscmp (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale}@acunsafe{glocale}}
+@c Calls isdigit multiple times, locale may change in between.
 The @code{strverscmp} function compares the string @var{s1} against
 @var{s2}, considering them as holding indices/version numbers.  The
 return value follows the same conventions as found in the
@@ -1343,6 +1345,8 @@ transformed strings with @code{strcmp} or @code{wcscmp}.
 @comment string.h
 @comment ISO
 @deftypefun int strcoll (const char *@var{s1}, const char *@var{s2})
+@safety{@mtsafe{}@asunsafe{glocale-revisit}@acunsafe{glocale-revisit}}
+@c Adjust alphasort one safety info is determined.
 The @code{strcoll} function is similar to @code{strcmp} but uses the
 collating sequence of the current locale for collation (the
 @code{LC_COLLATE} locale).
diff --git a/manual/terminal.texi b/manual/terminal.texi
index 9e9c057..7f62a4e 100644
--- a/manual/terminal.texi
+++ b/manual/terminal.texi
@@ -264,6 +264,9 @@ array.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcgetattr (int @var{filedes}, struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the kernel-returned termios data structure to the userland
+@c format does not ensure atomic or consistent writing.
 This function is used to examine the attributes of the terminal
 device with file descriptor @var{filedes}.  The attributes are returned
 in the structure that @var{termios-p} points to.
@@ -284,6 +287,9 @@ The @var{filedes} is not associated with a terminal.
 @comment termios.h
 @comment POSIX.1
 @deftypefun int tcsetattr (int @var{filedes}, int @var{when}, const struct termios *@var{termios-p})
+@safety{@mtsafe{xguargs}@assafe{}@acsafe{}}
+@c Converting the incoming termios data structure to the kernel format
+@c does not ensure atomic or consistent reading.
 This function sets the attributes of the terminal device with file
 descriptor @var{filedes}.  The new attributes are taken from the
 structure that @var{termios-p} points to.
diff --git a/manual/threads.texi b/manual/threads.texi
index a23ac26..19bfad6 100644
--- a/manual/threads.texi
+++ b/manual/threads.texi
@@ -31,6 +31,7 @@ before thread-specific data, so they should not be used in thread-specific
 data destructors or even as members of the thread-specific data, since the
 latter is passed as an argument to the destructor function.
 
+@c FIXME: use @deftypefun for these.
 @item int pthread_key_delete (pthread_key_t @var{key})
 Destroy the thread-specific data @var{key} in the calling thread.  The
 destructor for the thread-specific data is not called during destruction, nor
@@ -82,3 +83,124 @@ attributes or the stack address is set in the attribute.
 The system does not have sufficient memory.
 @end table
 @end deftypefun
+
+@c FIXME these are undocumented:
+@c pthread_atfork
+@c pthread_attr_destroy
+@c pthread_attr_getaffinity_np
+@c pthread_attr_getdetachstate
+@c pthread_attr_getguardsize
+@c pthread_attr_getinheritsched
+@c pthread_attr_getschedparam
+@c pthread_attr_getschedpolicy
+@c pthread_attr_getscope
+@c pthread_attr_getstack
+@c pthread_attr_getstackaddr
+@c pthread_attr_getstacksize
+@c pthread_attr_init
+@c pthread_attr_setaffinity_np
+@c pthread_attr_setdetachstate
+@c pthread_attr_setguardsize
+@c pthread_attr_setinheritsched
+@c pthread_attr_setschedparam
+@c pthread_attr_setschedpolicy
+@c pthread_attr_setscope
+@c pthread_attr_setstack
+@c pthread_attr_setstackaddr
+@c pthread_attr_setstacksize
+@c pthread_barrierattr_destroy
+@c pthread_barrierattr_getpshared
+@c pthread_barrierattr_init
+@c pthread_barrierattr_setpshared
+@c pthread_barrier_destroy
+@c pthread_barrier_init
+@c pthread_barrier_wait
+@c pthread_cancel
+@c pthread_cleanup_push
+@c pthread_cleanup_pop
+@c pthread_condattr_destroy
+@c pthread_condattr_getclock
+@c pthread_condattr_getpshared
+@c pthread_condattr_init
+@c pthread_condattr_setclock
+@c pthread_condattr_setpshared
+@c pthread_cond_broadcast
+@c pthread_cond_destroy
+@c pthread_cond_init
+@c pthread_cond_signal
+@c pthread_cond_timedwait
+@c pthread_cond_wait
+@c pthread_create
+@c pthread_detach
+@c pthread_equal
+@c pthread_exit
+@c pthread_getaffinity_np
+@c pthread_getattr_np
+@c pthread_getconcurrency
+@c pthread_getcpuclockid
+@c pthread_getname_np
+@c pthread_getschedparam
+@c pthread_join
+@c pthread_kill
+@c pthread_kill_other_threads_np
+@c pthread_mutexattr_destroy
+@c pthread_mutexattr_getkind_np
+@c pthread_mutexattr_getprioceiling
+@c pthread_mutexattr_getprotocol
+@c pthread_mutexattr_getpshared
+@c pthread_mutexattr_getrobust
+@c pthread_mutexattr_getrobust_np
+@c pthread_mutexattr_gettype
+@c pthread_mutexattr_init
+@c pthread_mutexattr_setkind_np
+@c pthread_mutexattr_setprioceiling
+@c pthread_mutexattr_setprotocol
+@c pthread_mutexattr_setpshared
+@c pthread_mutexattr_setrobust
+@c pthread_mutexattr_setrobust_np
+@c pthread_mutexattr_settype
+@c pthread_mutex_consistent
+@c pthread_mutex_consistent_np
+@c pthread_mutex_destroy
+@c pthread_mutex_getprioceiling
+@c pthread_mutex_init
+@c pthread_mutex_lock
+@c pthread_mutex_setprioceiling
+@c pthread_mutex_timedlock
+@c pthread_mutex_trylock
+@c pthread_mutex_unlock
+@c pthread_once
+@c pthread_rwlockattr_destroy
+@c pthread_rwlockattr_getkind_np
+@c pthread_rwlockattr_getpshared
+@c pthread_rwlockattr_init
+@c pthread_rwlockattr_setkind_np
+@c pthread_rwlockattr_setpshared
+@c pthread_rwlock_destroy
+@c pthread_rwlock_init
+@c pthread_rwlock_rdlock
+@c pthread_rwlock_timedrdlock
+@c pthread_rwlock_timedwrlock
+@c pthread_rwlock_tryrdlock
+@c pthread_rwlock_trywrlock
+@c pthread_rwlock_unlock
+@c pthread_rwlock_wrlock
+@c pthread_self
+@c pthread_setaffinity_np
+@c pthread_setcancelstate
+@c pthread_setcanceltype
+@c pthread_setconcurrency
+@c pthread_setname_np
+@c pthread_setschedparam
+@c pthread_setschedprio
+@c pthread_sigmask
+@c pthread_sigqueue
+@c pthread_spin_destroy
+@c pthread_spin_init
+@c pthread_spin_lock
+@c pthread_spin_trylock
+@c pthread_spin_unlock
+@c pthread_testcancel
+@c pthread_timedjoin_np
+@c pthread_tryjoin_np
+@c pthread_yield
diff --git a/manual/time.texi b/manual/time.texi
index ff31e28..3967b24 100644
--- a/manual/time.texi
+++ b/manual/time.texi
@@ -475,6 +475,12 @@ Instead, use the facilities described in @ref{Time Zone Functions}.
 @comment sys/time.h
 @comment BSD
 @deftypefun int gettimeofday (struct timeval *@var{tp}, struct timezone *@var{tzp})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c On most GNU/Linux systems this is a direct syscall, but the posix/
+@c implementation (not used on GNU/Linux or GNU/Hurd) relies on time and
+@c localtime_r, saving and restoring tzname in an unsafe manner.
+@c On some GNU/Linux variants, ifunc resolvers are used in shared libc
+@c for vdso resolution.  ifunc-vdso-revisit.
 The @code{gettimeofday} function returns the current calendar time as
 the elapsed time since the epoch in the @code{struct timeval} structure
 indicated by @var{tp}.  (@pxref{Elapsed Time} for a description of

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b86a9adf8ea6fc915d528f3fa61ded06f3c91c61

commit b86a9adf8ea6fc915d528f3fa61ded06f3c91c61
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:43 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/ctype.texi: Document thread safety properties.

diff --git a/manual/ctype.texi b/manual/ctype.texi
index 3d13571..f05d509 100644
--- a/manual/ctype.texi
+++ b/manual/ctype.texi
@@ -691,6 +691,7 @@ This type is defined in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wctrans_t wctrans (const char *@var{property})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wctrans} function has to be used to find out whether a named
 mapping is defined in the current locale selected for the
 @code{LC_CTYPE} category.  If the returned value is non-zero, you can use
@@ -713,6 +714,7 @@ These functions are declared in @file{wctype.h}.
 @comment wctype.h
 @comment ISO
 @deftypefun wint_t towctrans (wint_t @var{wc}, wctrans_t @var{desc})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{towctrans} maps the input character @var{wc}
 according to the rules of the mapping for which @var{desc} is a
 descriptor, and returns the value it finds.  @var{desc} must be

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=00af0ed393c8103a619299dc34fcda36561f3cd7

commit 00af0ed393c8103a619299dc34fcda36561f3cd7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:41 2013 -0300

    Thread safety documentation.
    
    for ChangeLog
    
    	* manual/math.texi: Document thread safety properties.

diff --git a/manual/math.texi b/manual/math.texi
index 193d415..fd5d0c8 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -560,6 +560,7 @@ negative), @code{logb} returns @math{@infinity{}}.  If @var{x} is zero,
 @comment math.h
 @comment ISO
 @deftypefunx int ilogbl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are equivalent to the corresponding @code{logb}
 functions except that they return signed integer values.
 @end deftypefun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2138bb13b72835109d53a470595be6f31f485113

commit 2138bb13b72835109d53a470595be6f31f485113
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/locale.texi: Document thread safety properties.

diff --git a/manual/locale.texi b/manual/locale.texi
index 2f10fcd..323268d 100644
--- a/manual/locale.texi
+++ b/manual/locale.texi
@@ -224,6 +224,10 @@ The symbols in this section are defined in the header file @file{locale.h}.
 @comment locale.h
 @comment ISO
 @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale})
+@safety{@mtunsafe{uunguard}}
+@c This function is MT-Safe, but uses of the global locale object are
+@c unguarded in functions that ought to be MT-Safe, so we're ruling out
+@c the use of this function once threads are started.
 The function @code{setlocale} sets the current locale for category
 @var{category} to @var{locale}.  A list of all the locales the system
 provides can be created by running

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=29204588dcc2ae4b2c07025a50f8018c87cdc409

commit 29204588dcc2ae4b2c07025a50f8018c87cdc409
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:40 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/stdio.texi: Document thread safety properties.

diff --git a/manual/stdio.texi b/manual/stdio.texi
index 3f9be9b..7809dd4 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -148,6 +148,8 @@ Everything described in this section is declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} fopen (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, fdleak, lockleak}}
+@c fopen may leak the list lock if cancelled within _IO_link_in.
 The @code{fopen} function opens a stream for I/O to the file
 @var{filename}, and returns a pointer to the stream.
 
@@ -265,6 +267,7 @@ Locks}.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} fopen64 (const char *@var{filename}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, fdleak, lockleak}}
 This function is similar to @code{fopen} but the stream it returns a
 pointer for is opened using @code{open64}.  Therefore this stream can be
 used even on files larger then @math{2^31} bytes on 32 bit machines.
@@ -294,6 +297,16 @@ resource limit; @pxref{Limits on Resources}.
 @comment stdio.h
 @comment ISO
 @deftypefun {FILE *} freopen (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
+@c Like most I/O operations, this one is guarded by a recursive lock,
+@c released even upon cancellation, but cancellation may leak file
+@c descriptors and leave the stream in an inconsistent state (e.g.,
+@c still bound to the closed descriptor).  Also, if the stream is
+@c part-way through a significant update (say running freopen) when a
+@c signal handler calls freopen again on the same stream, the result is
+@c likely to be an inconsistent stream, and the possibility of closing
+@c twice file descriptor number that the stream used to use, the second
+@c time when it might have already been reused by another thread.
 This function is like a combination of @code{fclose} and @code{fopen}.
 It first closes the stream referred to by @var{stream}, ignoring any
 errors that are detected in the process.  (Because errors are ignored,
@@ -320,6 +333,7 @@ interface replaces transparently the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun {FILE *} freopen64 (const char *@var{filename}, const char *@var{opentype}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, fdleak}}
 This function is similar to @code{freopen}.  The only difference is that
 on 32 bit machine the stream returned is able to read beyond the
 @math{2^31} bytes limits imposed by the normal interface.  It should be
@@ -341,6 +355,7 @@ descriptor and these functions are also available in @theglibc{}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freadable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freadable} function determines whether the stream
 @var{stream} was opened to allow reading.  In this case the return value
 is nonzero.  For write-only streams the function returns zero.
@@ -351,6 +366,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwritable (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwritable} function determines whether the stream
 @var{stream} was opened to allow writing.  In this case the return value
 is nonzero.  For read-only streams the function returns zero.
@@ -364,6 +380,7 @@ They provide even finer-grained information.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __freading (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__freading} function determines whether the stream
 @var{stream} was last read from or whether it is opened read-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -377,6 +394,7 @@ This function is declared in @file{stdio_ext.h}.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fwriting (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__fwriting} function determines whether the stream
 @var{stream} was last written to or whether it is opened write-only.  In
 this case the return value is nonzero, otherwise it is zero.
@@ -396,6 +414,21 @@ cannot perform any additional operations on it.
 @comment stdio.h
 @comment ISO
 @deftypefun int fclose (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak, fdleak}}
+@c After fclose, it is undefined behavior to use the stream it points
+@c to.  Therefore, one must only call fclose when the stream is
+@c otherwise unused.  Concurrent uses started before will complete
+@c successfully because of the lock, which makes it MT-Safe.  Calling it
+@c from a signal handler is perfectly safe if the stream is known to be
+@c no longer used, which is a precondition for fclose to be safe in the
+@c first place; since this is no further requirement, fclose is safe for
+@c use in async signals too.  After calling fclose, you can no longer
+@c use the stream, not even to fclose it again, so its memory and file
+@c descriptor may leak if fclose is canceled before @c releasing them.
+@c That the stream must be unused and it becomes unused after the call
+@c is what would enable fclose to be AS- and AC-Safe while freopen
+@c isn't.  However, because of the possibility of leaving __gconv_lock
+@c taken upon cancellation, AC-Safety is lost.
 This function causes @var{stream} to be closed and the connection to
 the corresponding file to be broken.  Any buffered output is written
 and any buffered input is discarded.  The @code{fclose} function returns
@@ -418,6 +451,12 @@ another function.
 @comment stdio.h
 @comment GNU
 @deftypefun int fcloseall (void)
+@safety{@mtunsafe{nolock}@asunsafe{nolock}@acsafe{}}
+@c Like fclose, using any previously-opened streams after fcloseall is
+@c undefined.  However, the implementation of fcloseall isn't equivalent
+@c to calling fclose for all streams: it just flushes and unbuffers all
+@c streams, without any locking.  It's the flushing without locking that
+@c makes it unsafe.
 This function causes all open streams of the process to be closed and
 the connection to corresponding files to be broken.  All buffered data
 is written and any buffered input is discarded.  The @code{fcloseall}
@@ -474,6 +513,9 @@ perform the stream locking in the application code.
 @comment stdio.h
 @comment POSIX
 @deftypefun void flockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
+@c There's no way to tell whether the lock was acquired before or after
+@c cancellation so as to unlock only when appropriate.
 The @code{flockfile} function acquires the internal locking object
 associated with the stream @var{stream}.  This ensures that no other
 thread can explicitly through @code{flockfile}/@code{ftrylockfile} or
@@ -485,6 +527,7 @@ thread will block until the lock is acquired.  An explicit call to
 @comment stdio.h
 @comment POSIX
 @deftypefun int ftrylockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ftrylockfile} function tries to acquire the internal locking
 object associated with the stream @var{stream} just like
 @code{flockfile}.  But unlike @code{flockfile} this function does not
@@ -496,6 +539,7 @@ another thread.
 @comment stdio.h
 @comment POSIX
 @deftypefun void funlockfile (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{funlockfile} function releases the internal locking object of
 the stream @var{stream}. The stream must have been locked before by a
 call to @code{flockfile} or a successful call of @code{ftrylockfile}.
@@ -621,6 +665,15 @@ was introduced in Solaris and is available in @theglibc{} as well.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __fsetlocking (FILE *@var{stream}, int @var{type})
+@safety{@mtunsafe{xguargs, uunguard, lockleak}@asunsafe{lockleak}@acsafe{}}
+@c Changing the implicit-locking status of a stream while it's in use by
+@c another thread may cause a lock to be implicitly acquired and not
+@c released, or vice-versa.  This function should probably hold the lock
+@c while changing this setting, to make sure we don't change it while
+@c there are any concurrent uses.  Meanwhile, callers should acquire the
+@c lock themselves to be safe, and even concurrent uses with external
+@c locking will be fine, as long as functions that require external
+@c locking are not called without holding locks.
 
 The @code{__fsetlocking} function can be used to select whether the
 stream operations will implicitly acquire the locking object of the
@@ -635,6 +688,9 @@ locking.  Every stream operation with exception of the @code{_unlocked}
 variants will implicitly lock the stream.
 
 @item FSETLOCKING_BYCALLER
+@c ??? Does the possibility of disabling implicit locking on any stream
+@c make any of the non-_unlocked functions as MT-unsafe as the _unlocked
+@c ones?
 After the @code{__fsetlocking} function returns the user is responsible
 for locking the stream.  None of the stream operations will implicitly
 do this anymore until the state is set back to
@@ -725,6 +781,10 @@ will simply be strange or the application will simply crash.  The
 @comment wchar.h
 @comment ISO
 @deftypefun int fwide (FILE *@var{stream}, int @var{mode})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak}}
+@c Querying is always safe, but changing the stream when it's in use
+@c upthread may be problematic.  Like most lock-acquiring functions,
+@c this one may leak the lock if canceled.
 
 The @code{fwide} function can be used to set and query the state of the
 orientation of the stream @var{stream}.  If the @var{mode} parameter has
@@ -811,6 +871,16 @@ These narrow streams functions are declared in the header file
 @comment stdio.h
 @comment ISO
 @deftypefun int fputc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
+@c If the stream is in use when interrupted by a signal, the recursive
+@c lock won't help ensure the stream is consistent; indeed, if fputc
+@c gets a signal precisely before the post-incremented _IO_write_ptr
+@c value is stored, we may overwrite the interrupted write.  Conversely,
+@c depending on compiler optimizations, the incremented _IO_write_ptr
+@c may be stored before the character is stored in the buffer,
+@c corrupting the stream if async cancel hits between the two stores.
+@c There may be other reasons for AS- and AC-unsafety in the overflow
+@c cases.
 The @code{fputc} function converts the character @var{c} to type
 @code{unsigned char}, and writes it to the stream @var{stream}.
 @code{EOF} is returned if a write error occurs; otherwise the
@@ -820,6 +890,7 @@ character @var{c} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fputwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{fputwc} function writes the wide character @var{wc} to the
 stream @var{stream}.  @code{WEOF} is returned if a write error occurs;
 otherwise the character @var{wc} is returned.
@@ -828,6 +899,10 @@ otherwise the character @var{wc} is returned.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fputc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
+@c The unlocked functions can't possibly satisfy the MT-Safety
+@c requirements on their own, because they require external locking for
+@c safety.
 The @code{fputc_unlocked} function is equivalent to the @code{fputc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -835,6 +910,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment POSIX
 @deftypefun wint_t fputwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputwc_unlocked} function is equivalent to the @code{fputwc}
 function except that it does not implicitly lock the stream.
 
@@ -844,6 +920,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputc}, except that most systems implement it as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -854,6 +931,7 @@ use for writing a single character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwc (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 This is just like @code{fputwc}, except that it can be implement as
 a macro, making it faster.  One consequence is that it may evaluate the
 @var{stream} argument more than once, which is an exception to the
@@ -864,6 +942,7 @@ use for writing a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int putc_unlocked (int @var{c}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putc_unlocked} function is equivalent to the @code{putc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -871,6 +950,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwc_unlocked (wchar_t @var{wc}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwc_unlocked} function is equivalent to the @code{putwc}
 function except that it does not implicitly lock the stream.
 
@@ -880,6 +960,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int putchar (int @var{c})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putchar} function is equivalent to @code{putc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -887,6 +968,7 @@ The @code{putchar} function is equivalent to @code{putc} with
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t putwchar (wchar_t @var{wc})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The @code{putwchar} function is equivalent to @code{putwc} with
 @code{stdout} as the value of the @var{stream} argument.
 @end deftypefun
@@ -894,6 +976,7 @@ The @code{putwchar} function is equivalent to @code{putwc} with
 @comment stdio.h
 @comment POSIX
 @deftypefun int putchar_unlocked (int @var{c})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putchar_unlocked} function is equivalent to the @code{putchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -901,6 +984,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t putwchar_unlocked (wchar_t @var{wc})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{putwchar_unlocked} function is equivalent to the @code{putwchar}
 function except that it does not implicitly lock the stream.
 
@@ -910,6 +994,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int fputs (const char *@var{s}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputs} writes the string @var{s} to the stream
 @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.
@@ -933,6 +1018,7 @@ outputs the text @samp{Are you hungry?} followed by a newline.
 @comment wchar.h
 @comment ISO
 @deftypefun int fputws (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{incansist, lockleak}}
 The function @code{fputws} writes the wide character string @var{ws} to
 the stream @var{stream}.  The terminating null character is not written.
 This function does @emph{not} add a newline character, either.  It
@@ -945,6 +1031,7 @@ a non-negative value.
 @comment stdio.h
 @comment GNU
 @deftypefun int fputs_unlocked (const char *@var{s}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputs_unlocked} function is equivalent to the @code{fputs}
 function except that it does not implicitly lock the stream.
 
@@ -954,6 +1041,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun int fputws_unlocked (const wchar_t *@var{ws}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fputws_unlocked} function is equivalent to the @code{fputws}
 function except that it does not implicitly lock the stream.
 
@@ -963,6 +1051,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int puts (const char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{puts} function writes the string @var{s} to the stream
 @code{stdout} followed by a newline.  The terminating null character of
 the string is not written.  (Note that @code{fputs} does @emph{not}
@@ -982,6 +1071,7 @@ outputs the text @samp{This is a message.} followed by a newline.
 @comment stdio.h
 @comment SVID
 @deftypefun int putw (int @var{w}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes the word @var{w} (that is, an @code{int}) to
 @var{stream}.  It is provided for compatibility with SVID, but we
 recommend you use @code{fwrite} instead (@pxref{Block Input/Output}).
@@ -1014,6 +1104,11 @@ it will fit in a @samp{char} variable without loss of information.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
+@c Same caveats as fputc, but instead of losing a write in case of async
+@c signals, we may read the same character more than once, and the
+@c stream may be left in odd states due to cancellation in the underflow
+@c cases.
 This function reads the next character as an @code{unsigned char} from
 the stream @var{stream} and returns its value, converted to an
 @code{int}.  If an end-of-file condition or read error occurs,
@@ -1023,6 +1118,7 @@ the stream @var{stream} and returns its value, converted to an
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t fgetwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads the next wide character from the stream @var{stream}
 and returns its value.  If an end-of-file condition or read error
 occurs, @code{WEOF} is returned instead.
@@ -1031,6 +1127,7 @@ occurs, @code{WEOF} is returned instead.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fgetc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetc_unlocked} function is equivalent to the @code{fgetc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1038,6 +1135,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t fgetwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetwc_unlocked} function is equivalent to the @code{fgetwc}
 function except that it does not implicitly lock the stream.
 
@@ -1047,6 +1145,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetc}, except that it is permissible (and
 typical) for it to be implemented as a macro that evaluates the
 @var{stream} argument more than once.  @code{getc} is often highly
@@ -1057,6 +1156,7 @@ character.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwc (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This is just like @code{fgetwc}, except that it is permissible for it to
 be implemented as a macro that evaluates the @var{stream} argument more
 than once.  @code{getwc} can be highly optimized, so it is usually the
@@ -1066,6 +1166,7 @@ best function to use to read a single wide character.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getc_unlocked} function is equivalent to the @code{getc}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1073,6 +1174,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwc_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwc_unlocked} function is equivalent to the @code{getwc}
 function except that it does not implicitly lock the stream.
 
@@ -1082,6 +1184,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun int getchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getchar} function is equivalent to @code{getc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1089,6 +1192,7 @@ as the value of the @var{stream} argument.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t getwchar (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{getwchar} function is equivalent to @code{getwc} with @code{stdin}
 as the value of the @var{stream} argument.
 @end deftypefun
@@ -1096,6 +1200,7 @@ as the value of the @var{stream} argument.
 @comment stdio.h
 @comment POSIX
 @deftypefun int getchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getchar_unlocked} function is equivalent to the @code{getchar}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -1103,6 +1208,7 @@ function except that it does not implicitly lock the stream.
 @comment wchar.h
 @comment GNU
 @deftypefun wint_t getwchar_unlocked (void)
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{getwchar_unlocked} function is equivalent to the @code{getwchar}
 function except that it does not implicitly lock the stream.
 
@@ -1145,6 +1251,7 @@ y_or_n_p (const char *question)
 @comment stdio.h
 @comment SVID
 @deftypefun int getw (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads a word (that is, an @code{int}) from @var{stream}.
 It's provided for compatibility with SVID.  We recommend you use
 @code{fread} instead (@pxref{Block Input/Output}).  Unlike @code{getc},
@@ -1173,6 +1280,7 @@ All these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getline (char **@var{lineptr}, size_t *@var{n}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads an entire line from @var{stream}, storing the text
 (including the newline and a terminating null character) in a buffer
 and storing the buffer address in @code{*@var{lineptr}}.
@@ -1208,6 +1316,7 @@ If an error occurs or end of file is reached without any bytes read,
 @comment stdio.h
 @comment GNU
 @deftypefun ssize_t getdelim (char **@var{lineptr}, size_t *@var{n}, int @var{delimiter}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is like @code{getline} except that the character which
 tells it to stop reading is not necessarily newline.  The argument
 @var{delimiter} specifies the delimiter character; @code{getdelim} keeps
@@ -1232,6 +1341,7 @@ getline (char **lineptr, size_t *n, FILE *stream)
 @comment stdio.h
 @comment ISO
 @deftypefun {char *} fgets (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgets} function reads characters from the stream @var{stream}
 up to and including a newline character and stores them in the string
 @var{s}, adding a null character to mark the end of the string.  You
@@ -1255,6 +1365,7 @@ error message.  We recommend using @code{getline} instead of @code{fgets}.
 @comment wchar.h
 @comment ISO
 @deftypefun {wchar_t *} fgetws (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fgetws} function reads wide characters from the stream
 @var{stream} up to and including a newline character and stores them in
 the string @var{ws}, adding a null wide character to mark the end of the
@@ -1280,6 +1391,7 @@ message.
 @comment stdio.h
 @comment GNU
 @deftypefun {char *} fgets_unlocked (char *@var{s}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgets_unlocked} function is equivalent to the @code{fgets}
 function except that it does not implicitly lock the stream.
 
@@ -1289,6 +1401,7 @@ This function is a GNU extension.
 @comment wchar.h
 @comment GNU
 @deftypefun {wchar_t *} fgetws_unlocked (wchar_t *@var{ws}, int @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fgetws_unlocked} function is equivalent to the @code{fgetws}
 function except that it does not implicitly lock the stream.
 
@@ -1298,6 +1411,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefn {Deprecated function} {char *} gets (char *@var{s})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The function @code{gets} reads characters from the stream @code{stdin}
 up to the next newline character, and stores them in the string @var{s}.
 The newline character is discarded (note that this differs from the
@@ -1388,6 +1502,7 @@ reverses the action of @code{getc}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ungetc (int @var{c}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetc} function pushes back the character @var{c} onto the
 input stream @var{stream}.  So the next input from @var{stream} will
 read @var{c} before anything else.
@@ -1425,6 +1540,7 @@ will encounter end of file.
 @comment wchar.h
 @comment ISO
 @deftypefun wint_t ungetwc (wint_t @var{wc}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ungetwc} function behaves just like @code{ungetc} just that it
 pushes back a wide character.
 @end deftypefun
@@ -1483,6 +1599,7 @@ These functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fread (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function reads up to @var{count} objects of size @var{size} into
 the array @var{data}, from the stream @var{stream}.  It returns the
 number of objects actually read, which might be less than @var{count} if
@@ -1498,6 +1615,7 @@ object.  Therefore, the stream remains at the actual end of the file.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fread_unlocked (void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fread_unlocked} function is equivalent to the @code{fread}
 function except that it does not implicitly lock the stream.
 
@@ -1507,6 +1625,7 @@ This function is a GNU extension.
 @comment stdio.h
 @comment ISO
 @deftypefun size_t fwrite (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function writes up to @var{count} objects of size @var{size} from
 the array @var{data}, to the stream @var{stream}.  The return value is
 normally @var{count}, if the call succeeds.  Any other value indicates
@@ -1516,6 +1635,7 @@ some sort of error, such as running out of space.
 @comment stdio.h
 @comment GNU
 @deftypefun size_t fwrite_unlocked (const void *@var{data}, size_t @var{size}, size_t @var{count}, FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fwrite_unlocked} function is equivalent to the @code{fwrite}
 function except that it does not implicitly lock the stream.
 
@@ -2257,6 +2377,7 @@ just include @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int printf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{printf} function prints the optional arguments under the
 control of the template string @var{template} to the stream
 @code{stdout}.  It returns the number of characters printed, or a
@@ -2266,6 +2387,7 @@ negative value if there was an output error.
 @comment wchar.h
 @comment ISO
 @deftypefun int wprintf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wprintf} function prints the optional arguments under the
 control of the wide template string @var{template} to the stream
 @code{stdout}.  It returns the number of wide characters printed, or a
@@ -2275,6 +2397,7 @@ negative value if there was an output error.
 @comment stdio.h
 @comment ISO
 @deftypefun int fprintf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{printf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2282,6 +2405,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwprintf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wprintf}, except that the output is
 written to the stream @var{stream} instead of @code{stdout}.
 @end deftypefun
@@ -2289,6 +2413,7 @@ written to the stream @var{stream} instead of @code{stdout}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sprintf (char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{printf}, except that the output is stored in the character
 array @var{s} instead of written to a stream.  A null character is written
 to mark the end of the string.
@@ -2313,6 +2438,7 @@ described below.
 @comment wchar.h
 @comment GNU
 @deftypefun int swprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wprintf}, except that the output is stored in the
 wide character array @var{ws} instead of written to a stream.  A null
 wide character is written to mark the end of the string.  The @var{size}
@@ -2337,6 +2463,7 @@ again and decided to not define an function exactly corresponding to
 @comment stdio.h
 @comment GNU
 @deftypefun int snprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{snprintf} function is similar to @code{sprintf}, except that
 the @var{size} argument specifies the maximum number of characters to
 produce.  The trailing null character is counted towards this limit, so
@@ -2407,6 +2534,7 @@ in dynamically allocated memory.
 @comment stdio.h
 @comment GNU
 @deftypefun int asprintf (char **@var{ptr}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This function is similar to @code{sprintf}, except that it dynamically
 allocates a string (as with @code{malloc}; @pxref{Unconstrained
 Allocation}) to hold the output, instead of putting the output in a
@@ -2439,6 +2567,7 @@ make_message (char *name, char *value)
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_printf (struct obstack *@var{obstack}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
 This function is similar to @code{asprintf}, except that it uses the
 obstack @var{obstack} to allocate the space.  @xref{Obstacks}.
 
@@ -2509,6 +2638,7 @@ Prototypes for these functions are declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vprintf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{printf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2517,6 +2647,7 @@ pointer @var{ap}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vwprintf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wprintf} except that, instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap}.
@@ -2525,6 +2656,12 @@ pointer @var{ap}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vfprintf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
+@c Although vfprintf sets up a cleanup region to release the lock on the
+@c output stream, it doesn't use it to release args_value or string in
+@c case of cancellation.  This doesn't make it unsafe, but cancelling it
+@c may leak memory.  The unguarded use of __printf_function_table is
+@c also of concern for all callers.
 This is the equivalent of @code{fprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2532,6 +2669,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwprintf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2539,6 +2677,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsprintf (char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2546,6 +2685,7 @@ specified directly as for @code{vprintf}.
 @comment wchar.h
 @comment GNU
 @deftypefun int vswprintf (wchar_t *@var{s}, size_t @var{size}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swprintf} with the variable argument list
 specified directly as for @code{vwprintf}.
 @end deftypefun
@@ -2553,6 +2693,7 @@ specified directly as for @code{vwprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vsnprintf (char *@var{s}, size_t @var{size}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{snprintf} with the variable argument list
 specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2560,6 +2701,7 @@ specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int vasprintf (char **@var{ptr}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 The @code{vasprintf} function is the equivalent of @code{asprintf} with the
 variable argument list specified directly as for @code{vprintf}.
 @end deftypefun
@@ -2567,6 +2709,10 @@ variable argument list specified directly as for @code{vprintf}.
 @comment stdio.h
 @comment GNU
 @deftypefun int obstack_vprintf (struct obstack *@var{obstack}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{xguargs, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acsafe{incansist, memleak}}
+@c The obstack is not guarded by mutexes, it might be at an inconsistent
+@c state within a signal handler, and it could be left at an
+@c inconsistent state in case of cancellation.
 The @code{obstack_vprintf} function is the equivalent of
 @code{obstack_printf} with the variable argument list specified directly
 as for @code{vprintf}.@refill
@@ -2639,6 +2785,7 @@ file @file{printf.h}.
 @comment printf.h
 @comment GNU
 @deftypefun size_t parse_printf_format (const char *@var{template}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{glocale-revisit}@acsafe{}}
 This function returns information about the number and types of
 arguments expected by the @code{printf} template string @var{template}.
 The information is stored in the array @var{argtypes}; each element of
@@ -2879,6 +3026,12 @@ The function to register a new output conversion is
 @comment printf.h
 @comment GNU
 @deftypefun int register_printf_function (int @var{spec}, printf_function @var{handler-function}, printf_arginfo_function @var{arginfo-function})
+@safety{@mtunsafe{uunguard}@asunsafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
+@c This function is guarded by the global non-recursive libc lock, but
+@c users of the variables it sets aren't, and those should be MT-Safe,
+@c so we're ruling out the use of this extension with threads.  Calling
+@c it from a signal handler may self-deadlock, and cancellation may
+@c leave the lock held, besides leaking allocated memory.
 This function defines the conversion specifier character @var{spec}.
 Thus, if @var{spec} is @code{'Y'}, it defines the conversion @samp{%Y}.
 You can redefine the built-in conversions like @samp{%s}, but flag
@@ -3125,6 +3278,12 @@ which implement a special way to print floating-point numbers.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size (FILE *@var{fp}, const struct printf_info *@var{info}, const void *const *@var{args})
+@safety{@mtunsafe{nolock, glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, incansist}}
+@c This is meant to be called by vfprintf, that should hold the lock on
+@c the stream, but if this function is called directly, output will be
+@c racy, besides the uses of the global locale object while other
+@c threads may be changing it and the possbility of leaving the stream
+@c object in an inconsistent state in case of cancellation.
 Print a given floating point number as for the format @code{%f} except
 that there is a postfix character indicating the divisor for the
 number to make this less than 1000.  There are two possible divisors:
@@ -3183,6 +3342,7 @@ provide the function which returns information about the arguments.
 @comment printf.h
 @comment GNU
 @deftypefun int printf_size_info (const struct printf_info *@var{info}, size_t @var{n}, int *@var{argtypes})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function will return in @var{argtypes} the information about the
 used parameters in the way the @code{vfprintf} implementation expects
 it.  The format always takes one argument.
@@ -3799,6 +3959,7 @@ Prototypes for these functions are in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int scanf (const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{scanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3813,6 +3974,7 @@ template, then @code{EOF} is returned.
 @comment wchar.h
 @comment ISO
 @deftypefun int wscanf (const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 The @code{wscanf} function reads formatted input from the stream
 @code{stdin} under the control of the template string @var{template}.
 The optional arguments are pointers to the places which receive the
@@ -3827,6 +3989,7 @@ template, then @code{WEOF} is returned.
 @comment stdio.h
 @comment ISO
 @deftypefun int fscanf (FILE *@var{stream}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{scanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3834,6 +3997,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment wchar.h
 @comment ISO
 @deftypefun int fwscanf (FILE *@var{stream}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is just like @code{wscanf}, except that the input is read
 from the stream @var{stream} instead of @code{stdin}.
 @end deftypefun
@@ -3841,6 +4005,7 @@ from the stream @var{stream} instead of @code{stdin}.
 @comment stdio.h
 @comment ISO
 @deftypefun int sscanf (const char *@var{s}, const char *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{scanf}, except that the characters are taken from the
 null-terminated string @var{s} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3854,6 +4019,7 @@ as an argument to receive a string read under control of the @samp{%s},
 @comment wchar.h
 @comment ISO
 @deftypefun int swscanf (const wchar_t *@var{ws}, const wchar_t *@var{template}, @dots{})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is like @code{wscanf}, except that the characters are taken from the
 null-terminated string @var{ws} instead of from a stream.  Reaching the
 end of the string is treated as an end-of-file condition.
@@ -3880,6 +4046,7 @@ introduced in @w{ISO C99} and were before available as GNU extensions.
 @comment stdio.h
 @comment ISO
 @deftypefun int vscanf (const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{scanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3888,6 +4055,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment wchar.h
 @comment ISO
 @deftypefun int vwscanf (const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This function is similar to @code{wscanf}, but instead of taking
 a variable number of arguments directly, it takes an argument list
 pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
@@ -3896,6 +4064,7 @@ pointer @var{ap} of type @code{va_list} (@pxref{Variadic Functions}).
 @comment stdio.h
 @comment ISO
 @deftypefun int vfscanf (FILE *@var{stream}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3903,6 +4072,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vfwscanf (FILE *@var{stream}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asynconsist, asmalloc, glocale-revisit}@acunsafe{memleak, lockleak, incansist}}
 This is the equivalent of @code{fwscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3910,6 +4080,7 @@ specified directly as for @code{vwscanf}.
 @comment stdio.h
 @comment ISO
 @deftypefun int vsscanf (const char *@var{s}, const char *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{sscanf} with the variable argument list
 specified directly as for @code{vscanf}.
 @end deftypefun
@@ -3917,6 +4088,7 @@ specified directly as for @code{vscanf}.
 @comment wchar.h
 @comment ISO
 @deftypefun int vswscanf (const wchar_t *@var{s}, const wchar_t *@var{template}, va_list @var{ap})
+@safety{@mtunsafe{glocale-revisit}@asunsafe{asmalloc, glocale-revisit}@acsafe{memleak}}
 This is the equivalent of @code{swscanf} with the variable argument list
 specified directly as for @code{vwscanf}.
 @end deftypefun
@@ -3966,6 +4138,7 @@ This symbol is declared in @file{wchar.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int feof (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{feof} function returns nonzero if and only if the end-of-file
 indicator for the stream @var{stream} is set.
 
@@ -3975,6 +4148,9 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int feof_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c There isn't much of a thread unsafety risk in reading a flag word and
+@c testing a bit in it.
 The @code{feof_unlocked} function is equivalent to the @code{feof}
 function except that it does not implicitly lock the stream.
 
@@ -3986,6 +4162,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int ferror (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 The @code{ferror} function returns nonzero if and only if the error
 indicator for the stream @var{stream} is set, indicating that an error
 has occurred on a previous operation on the stream.
@@ -3996,6 +4173,7 @@ This symbol is declared in @file{stdio.h}.
 @comment stdio.h
 @comment GNU
 @deftypefun int ferror_unlocked (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ferror_unlocked} function is equivalent to the @code{ferror}
 function except that it does not implicitly lock the stream.
 
@@ -4023,6 +4201,7 @@ function.
 @comment stdio.h
 @comment ISO
 @deftypefun void clearerr (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acunsafe{lockleak}}
 This function clears the end-of-file and error indicators for the
 stream @var{stream}.
 
@@ -4033,6 +4212,7 @@ end-of-file indicator for the stream.
 @comment stdio.h
 @comment GNU
 @deftypefun void clearerr_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@assafe{}@acunsafe{lockleak}}
 The @code{clearerr_unlocked} function is equivalent to the @code{clearerr}
 function except that it does not implicitly lock the stream.
 
@@ -4146,6 +4326,7 @@ are declared in the header file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun {long int} ftell (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function returns the current file position of the stream
 @var{stream}.
 
@@ -4158,6 +4339,7 @@ possibly for other reasons as well.  If a failure occurs, a value of
 @comment stdio.h
 @comment Unix98
 @deftypefun off_t ftello (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{ftello} function is similar to @code{ftell}, except that it
 returns a value of type @code{off_t}.  Systems which support this type
 use it to describe all file positions, unlike the POSIX specification
@@ -4181,6 +4363,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun off64_t ftello64 (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{ftello} with the only difference that
 the return value is of type @code{off64_t}.  This also requires that the
 stream @var{stream} was opened using either @code{fopen64},
@@ -4196,6 +4379,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fseek (FILE *@var{stream}, long int @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{fseek} function is used to change the file position of the
 stream @var{stream}.  The value of @var{whence} must be one of the
 constants @code{SEEK_SET}, @code{SEEK_CUR}, or @code{SEEK_END}, to
@@ -4215,6 +4399,7 @@ place in the file.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko (FILE *@var{stream}, off_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseek} but it corrects a problem with
 @code{fseek} in a system with POSIX types.  Using a value of type
 @code{long int} for the offset is not compatible with POSIX.
@@ -4238,6 +4423,7 @@ LFS interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fseeko64 (FILE *@var{stream}, off64_t @var{offset}, int @var{whence})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fseeko} with the only difference that
 the @var{offset} parameter is of type @code{off64_t}.  This also
 requires that the stream @var{stream} was opened using either
@@ -4286,6 +4472,7 @@ the offset provided is relative to the end of the file.
 @comment stdio.h
 @comment ISO
 @deftypefun void rewind (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{rewind} function positions the stream @var{stream} at the
 beginning of the file.  It is equivalent to calling @code{fseek} or
 @code{fseeko} on the @var{stream} with an @var{offset} argument of
@@ -4407,6 +4594,7 @@ representation.
 @comment stdio.h
 @comment ISO
 @deftypefun int fgetpos (FILE *@var{stream}, fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function stores the value of the file position indicator for the
 stream @var{stream} in the @code{fpos_t} object pointed to by
 @var{position}.  If successful, @code{fgetpos} returns zero; otherwise
@@ -4421,6 +4609,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fgetpos64 (FILE *@var{stream}, fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fgetpos} but the file position is
 returned in a variable of type @code{fpos64_t} to which @var{position}
 points.
@@ -4433,6 +4622,7 @@ and so transparently replaces the old interface.
 @comment stdio.h
 @comment ISO
 @deftypefun int fsetpos (FILE *@var{stream}, const fpos_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function sets the file position indicator for the stream @var{stream}
 to the position @var{position}, which must have been set by a previous
 call to @code{fgetpos} on the same stream.  If successful, @code{fsetpos}
@@ -4449,6 +4639,7 @@ interface transparently replaces the old interface.
 @comment stdio.h
 @comment Unix98
 @deftypefun int fsetpos64 (FILE *@var{stream}, const fpos64_t *@var{position})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is similar to @code{fsetpos} but the file position used
 for positioning is provided in a variable of type @code{fpos64_t} to
 which @var{position} points.
@@ -4560,6 +4751,7 @@ If you want to flush the buffered output at another time, call
 @comment stdio.h
 @comment ISO
 @deftypefun int fflush (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function causes any buffered output on @var{stream} to be delivered
 to the file.  If @var{stream} is a null pointer, then
 @code{fflush} causes buffered output on @emph{all} open output streams
@@ -4572,6 +4764,7 @@ otherwise.
 @comment stdio.h
 @comment POSIX
 @deftypefun int fflush_unlocked (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{fflush_unlocked} function is equivalent to the @code{fflush}
 function except that it does not implicitly lock the stream.
 @end deftypefun
@@ -4588,6 +4781,7 @@ exported.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void _flushlbf (void)
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 The @code{_flushlbf} function flushes all line buffered streams
 currently opened.
 
@@ -4609,6 +4803,7 @@ situation a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun void __fpurge (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acunsafe{incansist}}
 The @code{__fpurge} function causes the buffer of the stream
 @var{stream} to be emptied.  If the stream is currently in read mode all
 input in the buffer is lost.  If the stream is in output mode the
@@ -4633,6 +4828,7 @@ file @file{stdio.h}.
 @comment stdio.h
 @comment ISO
 @deftypefun int setvbuf (FILE *@var{stream}, char *@var{buf}, int @var{mode}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function is used to specify that the stream @var{stream} should
 have the buffering mode @var{mode}, which can be either @code{_IOFBF}
 (for full buffering), @code{_IOLBF} (for line buffering), or
@@ -4710,6 +4906,7 @@ efficient size.
 @comment stdio.h
 @comment ISO
 @deftypefun void setbuf (FILE *@var{stream}, char *@var{buf})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, the effect of this function is
 equivalent to calling @code{setvbuf} with a @var{mode} argument of
 @code{_IONBF}.  Otherwise, it is equivalent to calling @code{setvbuf}
@@ -4723,6 +4920,7 @@ use @code{setvbuf} in all new programs.
 @comment stdio.h
 @comment BSD
 @deftypefun void setbuffer (FILE *@var{stream}, char *@var{buf}, size_t @var{size})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 If @var{buf} is a null pointer, this function makes @var{stream} unbuffered.
 Otherwise, it makes @var{stream} fully buffered using @var{buf} as the
 buffer.  The @var{size} argument specifies the length of @var{buf}.
@@ -4734,6 +4932,7 @@ This function is provided for compatibility with old BSD code.  Use
 @comment stdio.h
 @comment BSD
 @deftypefun void setlinebuf (FILE *@var{stream})
+@safety{@mtsafe{}@asunsafe{asynconsist}@acunsafe{lockleak, incansist}}
 This function makes @var{stream} be line buffered, and allocates the
 buffer for you.
 
@@ -4748,6 +4947,7 @@ using a non-standard function introduced in Solaris and available in
 @comment stdio_ext.h
 @comment GNU
 @deftypefun int __flbf (FILE *@var{stream})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{__flbf} function will return a nonzero value in case the
 stream @var{stream} is line buffered.  Otherwise the return value is
 zero.
@@ -4761,6 +4961,7 @@ much of it is used.  These functions were also introduced in Solaris.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fbufsize (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fbufsize} function return the size of the buffer in the
 stream @var{stream}.  This value can be used to optimize the use of the
 stream.
@@ -4771,6 +4972,7 @@ This function is declared in the @file{stdio_ext.h} header.
 @comment stdio_ext.h
 @comment GNU
 @deftypefun size_t __fpending (FILE *@var{stream})
+@safety{@mtunsafe{nolock}@asunsafe{asynconsist}@acsafe{}}
 The @code{__fpending}
 function returns the number of bytes currently in the output buffer.
 For wide-oriented stream the measuring unit is wide characters.  This
@@ -4818,6 +5020,10 @@ I/O to a string or memory buffer.  These facilities are declared in
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fmemopen (void *@var{buf}, size_t @var{size}, const char *@var{opentype})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acsafe{memleak, lockleak}}
+@c Unlike open_memstream, fmemopen does (indirectly) call _IO_link_in,
+@c bringing with it additional potential for async trouble with
+@c list_all_lock.
 This function opens a stream that allows the access specified by the
 @var{opentype} argument, that reads from or writes to the buffer specified
 by the argument @var{buf}.  This array must be at least @var{size} bytes long.
@@ -4870,6 +5076,7 @@ Got r
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} open_memstream (char **@var{ptr}, size_t *@var{sizeloc})
+@safety{@mtsafe{}@assafe{asmalloc}@acsafe{memleak}}
 This function opens a stream for writing to a buffer.  The buffer is
 allocated dynamically and grown as necessary, using @code{malloc}.
 After you've closed the stream, this buffer is your responsibility to
@@ -4985,6 +5192,7 @@ closed.
 @comment stdio.h
 @comment GNU
 @deftypefun {FILE *} fopencookie (void *@var{cookie}, const char *@var{opentype}, cookie_io_functions_t @var{io-functions})
+@safety{@mtsafe{}@assafe{asmalloc, selfdeadlock}@acunsafe{memleak, lockleak}}
 This function actually creates the stream for communicating with the
 @var{cookie} using the functions in the @var{io-functions} argument.
 The @var{opentype} argument is interpreted as for @code{fopen};
@@ -5166,6 +5374,7 @@ It is a non-recoverable error.
 @comment fmtmsg.h
 @comment XPG
 @deftypefun int fmtmsg (long int @var{classification}, const char *@var{label}, int @var{severity}, const char *@var{text}, const char *@var{action}, const char *@var{tag})
+@safety{@mtsafe{}@asunsafe{selfdeadlock}@acsafe{}}
 Display a message described by its parameters on the device(s) specified
 in the @var{classification} parameter.  The @var{label} parameter
 identifies the source of the message.  The string should consist of two
@@ -5306,6 +5515,7 @@ introducing new classes in a running program.  One could use the
 but this is toilsome.
 
 @deftypefun int addseverity (int @var{severity}, const char *@var{string})
+@safety{@mtsafe{}@asunsafe{asmalloc, selfdeadlock}@acunsafe{lockleak, memleak}}
 This function allows the introduction of new severity classes which can be
 addressed by the @var{severity} parameter of the @code{fmtmsg} function.
 The @var{severity} parameter of @code{addseverity} must match the value

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ff79da305c9dfa8cdc253ef91e3af827e98ecd2b

commit ff79da305c9dfa8cdc253ef91e3af827e98ecd2b
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:39 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/arith.texi: Document thread safety properties.

diff --git a/manual/arith.texi b/manual/arith.texi
index 77056c3..833e0c9 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -160,6 +160,8 @@ The remainder from the division.
 @comment stdlib.h
 @comment ISO
 @deftypefun div_t div (int @var{numerator}, int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c Functions in this section are pure, and thus safe.
 This function @code{div} computes the quotient and remainder from
 the division of @var{numerator} by @var{denominator}, returning the
 result in a structure of type @code{div_t}.
@@ -199,6 +201,7 @@ type @code{long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun ldiv_t ldiv (long int @var{numerator}, long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ldiv} function is similar to @code{div}, except that the
 arguments are of type @code{long int} and the result is returned as a
 structure of type @code{ldiv_t}.
@@ -225,6 +228,7 @@ type @code{long long int} rather than @code{int}.)
 @comment stdlib.h
 @comment ISO
 @deftypefun lldiv_t lldiv (long long int @var{numerator}, long long int @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{lldiv} function is like the @code{div} function, but the
 arguments are of type @code{long long int} and the result is returned as
 a structure of type @code{lldiv_t}.
@@ -256,6 +260,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment inttypes.h
 @comment ISO
 @deftypefun imaxdiv_t imaxdiv (intmax_t @var{numerator}, intmax_t @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{imaxdiv} function is like the @code{div} function, but the
 arguments are of type @code{intmax_t} and the result is returned as
 a structure of type @code{imaxdiv_t}.
@@ -410,6 +415,7 @@ not have to worry about the type of their argument.
 @comment math.h
 @comment BSD
 @deftypefunx int isinfl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns @code{-1} if @var{x} represents negative infinity,
 @code{1} if @var{x} represents positive infinity, and @code{0} otherwise.
 @end deftypefun
@@ -423,6 +429,7 @@ This function returns @code{-1} if @var{x} represents negative infinity,
 @comment math.h
 @comment BSD
 @deftypefunx int isnanl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is a ``not a number''
 value, and zero otherwise.
 
@@ -445,6 +452,7 @@ function for some reason, you can write
 @comment math.h
 @comment BSD
 @deftypefunx int finitel (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns a nonzero value if @var{x} is finite or a ``not a
 number'' value, and zero otherwise.
 @end deftypefun
@@ -713,6 +721,22 @@ and save and restore the set of exceptions flagged.
 @comment fenv.h
 @comment ISO
 @deftypefun int feclearexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{unposix}@acsafe{unposix}}
+@c The other functions in this section that modify FP status register
+@c mostly do so with non-atomic load-modify-store sequences, but since
+@c the register is thread-specific, this should be fine, and safe for
+@c cancellation.  As long as the FP environment is restored before the
+@c signal handler returns control to the interrupted thread (like any
+@c kernel should do), the functions are also safe for use in signal
+@c handlers.
+@c
+@c FIXME: simfpu: Floating point emulation on powerpc is the exception:
+@c __sim_exception, __sim_disabled_exception and __sim_round_mode
+@c variables, that emulate a floating-point status register, are not
+@c thread-specific variables, so many of these functions are not MT-safe
+@c on that platform.  This is probably a bug.  These variables aren't
+@c restored by the signal machinery either, making the functions also
+@c async-signal-unsafe on this platform.
 This function clears all of the supported exception flags indicated by
 @var{excepts}.
 
@@ -723,6 +747,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feraiseexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function raises the supported exceptions indicated by
 @var{excepts}.  If more than one exception bit in @var{excepts} is set
 the order in which the exceptions are raised is undefined except that
@@ -738,6 +763,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fetestexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Test whether the exception flags indicated by the parameter @var{except}
 are currently set.  If any of them are, a nonzero value is returned
 which specifies which exceptions are set.  Otherwise the result is zero.
@@ -774,6 +800,7 @@ following functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetexceptflag (fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function stores in the variable pointed to by @var{flagp} an
 implementation-defined value representing the current setting of the
 exception flags indicated by @var{excepts}.
@@ -785,6 +812,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetexceptflag (const fexcept_t *@var{flagp}, int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This function restores the flags for the exceptions indicated by
 @var{excepts} to the values stored in the variable pointed to by
 @var{flagp}.
@@ -940,6 +968,7 @@ find out which one with this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetround (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Returns the currently selected rounding mode, represented by one of the
 values of the defined rounding mode macros.
 @end deftypefun
@@ -950,6 +979,7 @@ To change the rounding mode, use this function:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetround (int @var{round})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Changes the currently selected rounding mode to @var{round}.  If
 @var{round} does not correspond to one of the supported rounding modes
 nothing is changed.  @code{fesetround} returns zero if it changed the
@@ -994,6 +1024,7 @@ To save the state of the FPU, use one of these functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fegetenv (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the floating-point environment in the variable pointed to by
 @var{envp}.
 
@@ -1004,6 +1035,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feholdexcept (fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Store the current floating-point environment in the object pointed to by
 @var{envp}.  Then clear all exception flags, and set the FPU to trap no
 exceptions.  Not all FPUs support trapping no exceptions; if
@@ -1042,6 +1074,7 @@ functions:
 @comment fenv.h
 @comment ISO
 @deftypefun int fesetenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Set the floating-point environment to that described by @var{envp}.
 
 The function returns zero in case the operation was successful, a
@@ -1051,6 +1084,7 @@ non-zero value otherwise.
 @comment fenv.h
 @comment ISO
 @deftypefun int feupdateenv (const fenv_t *@var{envp})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 Like @code{fesetenv}, this function sets the floating-point environment
 to that described by @var{envp}.  However, if any exceptions were
 flagged in the status word before @code{feupdateenv} was called, they
@@ -1071,6 +1105,7 @@ occur, you can use the following two functions.
 @comment fenv.h
 @comment GNU
 @deftypefun int feenableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions enables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1083,6 +1118,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fedisableexcept (int @var{excepts})
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 This functions disables traps for each of the exceptions as indicated by
 the parameter @var{except}.  The individual exceptions are described in
 @ref{Status bit operations}.  Only the specified exceptions are
@@ -1095,6 +1131,7 @@ operation was successful, @code{-1} otherwise.
 @comment fenv.h
 @comment GNU
 @deftypefun int fegetexcept (void)
+@safety{@mtsafe{simfpu}@assafe{}@acsafe{}}
 The function returns a bitmask of all currently enabled exceptions.  It
 returns @code{-1} in case of failure.
 @end deftypefun
@@ -1146,6 +1183,7 @@ Prototypes for @code{abs}, @code{labs} and @code{llabs} are in @file{stdlib.h};
 @comment inttypes.h
 @comment ISO
 @deftypefunx intmax_t imaxabs (intmax_t @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute value of @var{number}.
 
 Most computers use a two's complement integer representation, in which
@@ -1167,6 +1205,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fabsl (long double @var{number})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function returns the absolute value of the floating-point number
 @var{number}.
 @end deftypefun
@@ -1180,6 +1219,7 @@ This function returns the absolute value of the floating-point number
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cabsl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the absolute  value of the complex number @var{z}
 (@pxref{Complex Numbers}).  The absolute value of a complex number is:
 
@@ -1217,6 +1257,7 @@ All these functions are declared in @file{math.h}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} frexpl (long double @var{value}, int *@var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are used to split the number @var{value}
 into a normalized fraction and an exponent.
 
@@ -1242,6 +1283,7 @@ zero is stored in @code{*@var{exponent}}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ldexpl (long double @var{value}, int @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the result of multiplying the floating-point
 number @var{value} by 2 raised to the power @var{exponent}.  (It can
 be used to reassemble floating-point numbers that were taken apart
@@ -1263,6 +1305,7 @@ equivalent to those of @code{ldexp} and @code{frexp}.  See also the
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbl (long double @var{value}, long double @var{exponent})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{scalb} function is the BSD name for @code{ldexp}.
 @end deftypefun
 
@@ -1275,6 +1318,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalbnl (long double @var{x}, int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbn} is identical to @code{scalb}, except that the exponent
 @var{n} is an @code{int} instead of a floating-point number.
 @end deftypefun
@@ -1288,6 +1332,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} scalblnl (long double @var{x}, long int @var{n})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{scalbln} is identical to @code{scalb}, except that the exponent
 @var{n} is a @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1301,6 +1346,7 @@ The @code{scalb} function is the BSD name for @code{ldexp}.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} significandl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{significand} returns the mantissa of @var{x} scaled to the range
 @math{[1, 2)}.
 It is equivalent to @w{@code{scalb (@var{x}, (double) -ilogb (@var{x}))}}.
@@ -1335,6 +1381,7 @@ result as a @code{double} instead to get around this problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} ceill (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} upwards to the nearest integer,
 returning that value as a @code{double}.  Thus, @code{ceil (1.5)}
 is @code{2.0}.
@@ -1349,6 +1396,7 @@ is @code{2.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} floorl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} downwards to the nearest
 integer, returning that value as a @code{double}.  Thus, @code{floor
 (1.5)} is @code{1.0} and @code{floor (-1.5)} is @code{-2.0}.
@@ -1363,6 +1411,7 @@ integer, returning that value as a @code{double}.  Thus, @code{floor
 @comment math.h
 @comment ISO
 @deftypefunx {long double} truncl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{trunc} functions round @var{x} towards zero to the nearest
 integer (returned in floating-point format).  Thus, @code{trunc (1.5)}
 is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
@@ -1377,6 +1426,7 @@ is @code{1.0} and @code{trunc (-1.5)} is @code{-1.0}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} rintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions round @var{x} to an integer value according to the
 current rounding mode.  @xref{Floating Point Parameters}, for
 information about the various rounding modes.  The default
@@ -1397,6 +1447,7 @@ inexact exception.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nearbyintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the same value as the @code{rint} functions, but
 do not raise the inexact exception if @var{x} is not an integer.
 @end deftypefun
@@ -1410,6 +1461,7 @@ do not raise the inexact exception if @var{x} is not an integer.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} roundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are similar to @code{rint}, but they round halfway
 cases away from zero instead of to the nearest integer (or other
 current rounding mode).
@@ -1424,6 +1476,7 @@ current rounding mode).
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1437,6 +1490,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llrintl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{rint}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1450,6 +1504,7 @@ These functions are just like @code{rint}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long int} lroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long int} instead of a floating-point number.
 @end deftypefun
@@ -1463,6 +1518,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long long int} llroundl (long double @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are just like @code{round}, but they return a
 @code{long long int} instead of a floating-point number.
 @end deftypefun
@@ -1477,6 +1533,7 @@ These functions are just like @code{round}, but they return a
 @comment math.h
 @comment ISO
 @deftypefunx {long double} modfl (long double @var{value}, long double *@var{integer-part})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions break the argument @var{value} into an integer part and a
 fractional part (between @code{-1} and @code{1}, exclusive).  Their sum
 equals @var{value}.  Each of the parts has the same sign as @var{value},
@@ -1503,6 +1560,7 @@ suits your problem.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmodl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions compute the remainder from the division of
 @var{numerator} by @var{denominator}.  Specifically, the return value is
 @code{@var{numerator} - @w{@var{n} * @var{denominator}}}, where @var{n}
@@ -1525,6 +1583,7 @@ If @var{denominator} is zero, @code{fmod} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} dreml (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are like @code{fmod} except that they round the
 internal quotient @var{n} to the nearest integer instead of towards zero
 to an integer.  For example, @code{drem (6.5, 2.3)} returns @code{-0.4},
@@ -1548,6 +1607,7 @@ If @var{denominator} is zero, @code{drem} signals a domain error.
 @comment math.h
 @comment BSD
 @deftypefunx {long double} remainderl (long double @var{numerator}, long double @var{denominator})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is another name for @code{drem}.
 @end deftypefun
 
@@ -1569,6 +1629,7 @@ bits.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} copysignl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return @var{x} but with the sign of @var{y}.  They work
 even if @var{x} or @var{y} are NaN or zero.  Both of these can carry a
 sign (although not all implementations support it) and this is one of
@@ -1584,6 +1645,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefun int signbit (@emph{float-type} @var{x})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 @code{signbit} is a generic macro which can work on all floating-point
 types.  It returns a nonzero value if the value of @var{x} has its sign
 bit set.
@@ -1602,6 +1664,7 @@ false, but @code{signbit (-0.0)} will return a nonzero value.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nextafterl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{nextafter} function returns the next representable neighbor of
 @var{x} in the direction towards @var{y}.  The size of the step between
 @var{x} and the result depends on the type of the result.  If
@@ -1625,6 +1688,7 @@ recommended functions in @w{IEEE 754}/@w{IEEE 854}).
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nexttowardl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions are identical to the corresponding versions of
 @code{nextafter} except that their second argument is a @code{long
 double}.
@@ -1640,6 +1704,8 @@ double}.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} nanl (const char *@var{tagp})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c The unsafe-but-ruled-safe locale use comes from strtod.
 The @code{nan} function returns a representation of NaN, provided that
 NaN is supported by the target platform.
 @code{nan ("@var{n-char-sequence}")} is equivalent to
@@ -1674,6 +1740,7 @@ arguments only once.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than
 @var{y}.  It is equivalent to @code{(@var{x}) > (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1682,6 +1749,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isgreaterequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is greater than or
 equal to @var{y}.  It is equivalent to @code{(@var{x}) >= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1690,6 +1758,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isless (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than @var{y}.
 It is equivalent to @code{(@var{x}) < (@var{y})}, but no exception is
 raised if @var{x} or @var{y} are NaN.
@@ -1698,6 +1767,7 @@ raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessequal (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less than or equal
 to @var{y}.  It is equivalent to @code{(@var{x}) <= (@var{y})}, but no
 exception is raised if @var{x} or @var{y} are NaN.
@@ -1706,6 +1776,7 @@ exception is raised if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int islessgreater (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether the argument @var{x} is less or greater
 than @var{y}.  It is equivalent to @code{(@var{x}) < (@var{y}) ||
 (@var{x}) > (@var{y})} (although it only evaluates @var{x} and @var{y}
@@ -1718,6 +1789,7 @@ expression is true if @var{x} or @var{y} are NaN.
 @comment math.h
 @comment ISO
 @deftypefn Macro int isunordered (@emph{real-floating} @var{x}, @emph{real-floating} @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This macro determines whether its arguments are unordered.  In other
 words, it is true if @var{x} or @var{y} are NaN, and false otherwise.
 @end deftypefn
@@ -1751,6 +1823,7 @@ perform these operations faster than the equivalent C code.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fminl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmin} function returns the lesser of the two values @var{x}
 and @var{y}.  It is similar to the expression
 @smallexample
@@ -1771,6 +1844,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fmaxl (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fmax} function returns the greater of the two values @var{x}
 and @var{y}.
 
@@ -1787,6 +1861,7 @@ are NaN, NaN is returned.
 @comment math.h
 @comment ISO
 @deftypefunx {long double} fdiml (long double @var{x}, long double @var{y})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fdim} function returns the positive difference between
 @var{x} and @var{y}.  The positive difference is @math{@var{x} -
 @var{y}} if @var{x} is greater than @var{y}, and @math{0} otherwise.
@@ -1804,6 +1879,7 @@ If @var{x}, @var{y}, or both are NaN, NaN is returned.
 @comment ISO
 @deftypefunx {long double} fmal (long double @var{x}, long double @var{y}, long double @var{z})
 @cindex butterfly
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fma} function performs floating-point multiply-add.  This is
 the operation @math{(@var{x} @mul{} @var{y}) + @var{z}}, but the
 intermediate result is not rounded to the destination type.  This can
@@ -1933,6 +2009,7 @@ available in three variants, one for each of the three complex types.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} creall (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the real part of the complex number @var{z}.
 @end deftypefun
 
@@ -1945,6 +2022,7 @@ These functions return the real part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cimagl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the imaginary part of the complex number @var{z}.
 @end deftypefun
 
@@ -1957,6 +2035,7 @@ These functions return the imaginary part of the complex number @var{z}.
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} conjl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the conjugate value of the complex number
 @var{z}.  The conjugate of a complex number has the same real part and a
 negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
@@ -1971,6 +2050,7 @@ negated imaginary part.  In other words, @samp{conj(a + bi) = a + -bi}.
 @comment complex.h
 @comment ISO
 @deftypefunx {long double} cargl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the argument of the complex number @var{z}.
 The argument of a complex number is the angle in the complex plane
 between the positive real axis and a line passing through zero and the
@@ -1989,6 +2069,7 @@ number.  This angle is measured in the usual fashion and ranges from
 @comment complex.h
 @comment ISO
 @deftypefunx {complex long double} cprojl (complex long double @var{z})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 These functions return the projection of the complex value @var{z} onto
 the Riemann sphere.  Values with a infinite imaginary part are projected
 to positive infinity on the real axis, even if the real part is NaN.  If
@@ -2034,6 +2115,16 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} strtol (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c strtol uses the thread-local pointer to the locale in effect, and
+@c strtol_l loads the LC_NUMERIC locale data from it early on and once,
+@c but if the locale is the global locale, and another thread calls
+@c setlocale in a way that modifies the pointer to the LC_CTYPE locale
+@c category, the behavior of e.g. IS*, TOUPPER will vary throughout the
+@c execution of the function, because they re-read the locale data from
+@c the given locale pointer.  We solved this by documenting setlocale as
+@c MT-Unsafe, but there might be other reasons why it's neither MT- nor
+@c AS-Safe; recheck.
 The @code{strtol} (``string-to-long'') function converts the initial
 part of @var{string} to a signed integer, which is returned as a value
 of type @code{long int}.
@@ -2097,6 +2188,7 @@ There is an example at the end of this section.
 @comment wchar.h
 @comment ISO
 @deftypefun {long int} wcstol (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstol} function is equivalent to the @code{strtol} function
 in nearly all aspects but handles wide character strings.
 
@@ -2106,6 +2198,7 @@ The @code{wcstol} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long int} strtoul (const char *retrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoul} (``string-to-unsigned-long'') function is like
 @code{strtol} except it converts to an @code{unsigned long int} value.
 The syntax is the same as described above for @code{strtol}.  The value
@@ -2124,6 +2217,7 @@ range, or @code{ERANGE} on overflow.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long int} wcstoul (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoul} function is equivalent to the @code{strtoul} function
 in nearly all aspects but handles wide character strings.
 
@@ -2133,6 +2227,7 @@ The @code{wcstoul} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} strtoll (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoll} function is like @code{strtol} except that it returns
 a @code{long long int} value, and accepts numbers with a correspondingly
 larger range.
@@ -2149,6 +2244,7 @@ The @code{strtoll} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {long long int} wcstoll (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoll} function is equivalent to the @code{strtoll} function
 in nearly all aspects but handles wide character strings.
 
@@ -2158,12 +2254,14 @@ The @code{wcstoll} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {long long int} strtoq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtoq} (``string-to-quad-word'') is the BSD name for @code{strtoll}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {long long int} wcstoq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoq} function is equivalent to the @code{strtoq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2173,6 +2271,7 @@ The @code{wcstoq} function is a GNU extension.
 @comment stdlib.h
 @comment ISO
 @deftypefun {unsigned long long int} strtoull (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoull} function is related to @code{strtoll} the same way
 @code{strtoul} is related to @code{strtol}.
 
@@ -2182,6 +2281,7 @@ The @code{strtoull} function was introduced in @w{ISO C99}.
 @comment wchar.h
 @comment ISO
 @deftypefun {unsigned long long int} wcstoull (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoull} function is equivalent to the @code{strtoull} function
 in nearly all aspects but handles wide character strings.
 
@@ -2191,12 +2291,14 @@ The @code{wcstoull} function was introduced in @w{Amendment 1} of @w{ISO C90}.
 @comment stdlib.h
 @comment BSD
 @deftypefun {unsigned long long int} strtouq (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 @code{strtouq} is the BSD name for @code{strtoull}.
 @end deftypefun
 
 @comment wchar.h
 @comment GNU
 @deftypefun {unsigned long long int} wcstouq (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstouq} function is equivalent to the @code{strtouq} function
 in nearly all aspects but handles wide character strings.
 
@@ -2206,6 +2308,7 @@ The @code{wcstouq} function is a GNU extension.
 @comment inttypes.h
 @comment ISO
 @deftypefun intmax_t strtoimax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoimax} function is like @code{strtol} except that it returns
 a @code{intmax_t} value, and accepts numbers of a corresponding range.
 
@@ -2222,6 +2325,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun intmax_t wcstoimax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoimax} function is equivalent to the @code{strtoimax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2231,6 +2335,7 @@ The @code{wcstoimax} function was introduced in @w{ISO C99}.
 @comment inttypes.h
 @comment ISO
 @deftypefun uintmax_t strtoumax (const char *restrict @var{string}, char **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{strtoumax} function is related to @code{strtoimax}
 the same way that @code{strtoul} is related to @code{strtol}.
 
@@ -2241,6 +2346,7 @@ See @ref{Integers} for a description of the @code{intmax_t} type.  The
 @comment wchar.h
 @comment ISO
 @deftypefun uintmax_t wcstoumax (const wchar_t *restrict @var{string}, wchar_t **restrict @var{tailptr}, int @var{base})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstoumax} function is equivalent to the @code{strtoumax} function
 in nearly all aspects but handles wide character strings.
 
@@ -2250,6 +2356,7 @@ The @code{wcstoumax} function was introduced in @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long int} atol (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtol} function with a @var{base}
 argument of @code{10}, except that it need not detect overflow errors.
 The @code{atol} function is provided mostly for compatibility with
@@ -2259,6 +2366,7 @@ existing code; using @code{strtol} is more robust.
 @comment stdlib.h
 @comment ISO
 @deftypefun int atoi (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is like @code{atol}, except that it returns an @code{int}.
 The @code{atoi} function is also considered obsolete; use @code{strtol}
 instead.
@@ -2267,6 +2375,7 @@ instead.
 @comment stdlib.h
 @comment ISO
 @deftypefun {long long int} atoll (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to @code{atol}, except it returns a @code{long
 long int}.
 
@@ -2331,6 +2440,9 @@ as well.
 @comment stdlib.h
 @comment ISO
 @deftypefun double strtod (const char *restrict @var{string}, char **restrict @var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
+@c Besides the unsafe-but-ruled-safe locale uses, this uses a lot of
+@c mpn, but it's all safe.
 The @code{strtod} (``string-to-double'') function converts the initial
 part of @var{string} to a floating-point number, which is returned as a
 value of type @code{double}.
@@ -2416,6 +2528,7 @@ examining @var{errno} and @var{tailptr}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} strtold (const char *@var{string}, char **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 These functions are analogous to @code{strtod}, but return @code{float}
 and @code{long double} values respectively.  They report errors in the
 same way as @code{strtod}.  @code{strtof} can be substantially faster
@@ -2435,6 +2548,7 @@ These functions have been GNU extensions and are new to @w{ISO C99}.
 @comment stdlib.h
 @comment ISO
 @deftypefunx {long double} wcstold (const wchar_t *@var{string}, wchar_t **@var{tailptr})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 The @code{wcstod}, @code{wcstof}, and @code{wcstol} functions are
 equivalent in nearly all aspect to the @code{strtod}, @code{strtof}, and
 @code{strtold} functions but it handles wide character string.
@@ -2447,6 +2561,7 @@ C90}.  The @code{wcstof} and @code{wcstold} functions were introduced in
 @comment stdlib.h
 @comment ISO
 @deftypefun double atof (const char *@var{string})
+@safety{@mtsafe{glocale}@assafe{glocale}@acsafe{}}
 This function is similar to the @code{strtod} function, except that it
 need not detect overflow and underflow errors.  The @code{atof} function
 is provided mostly for compatibility with existing code; using
@@ -2473,6 +2588,7 @@ All these functions are defined in @file{stdlib.h}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} ecvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{ecvt} converts the floating-point number @var{value}
 to a string with at most @var{ndigit} decimal digits.  The
 returned string contains no decimal point or sign. The first digit of
@@ -2498,6 +2614,7 @@ and sets @var{d} to @code{2} and @var{n} to @code{0}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} fcvt (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 The function @code{fcvt} is like @code{ecvt}, but @var{ndigit} specifies
 the number of digits after the decimal point.  If @var{ndigit} is less
 than zero, @var{value} is rounded to the @math{@var{ndigit}+1}'th place to the
@@ -2516,6 +2633,9 @@ to @code{fcvt}.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun {char *} gcvt (double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
+@c args_value if it's too large, but gcvt never exercises this path.  
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.
@@ -2530,6 +2650,7 @@ functions that take @code{long double} arguments.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qecvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{ecvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2538,6 +2659,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qfcvt (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg})
+@safety{@mtunsafe{staticbuf}@assafe{staticbuf}@acsafe{}}
 This function is equivalent to @code{fcvt} except that it
 takes a @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2546,6 +2668,7 @@ restricted by the precision of a @code{long double}.
 @comment stdlib.h
 @comment GNU
 @deftypefun {char *} qgcvt (long double @var{value}, int @var{ndigit}, char *@var{buf})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 This function is equivalent to @code{gcvt} except that it takes a
 @code{long double} for the first parameter and that @var{ndigit} is
 restricted by the precision of a @code{long double}.
@@ -2566,6 +2689,7 @@ user-supplied buffer.
 @comment stdlib.h
 @comment GNU
 @deftypefun int ecvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{ecvt_r} function is the same as @code{ecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2577,6 +2701,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment SVID, Unix98
 @deftypefun int fcvt_r (double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{fcvt_r} function is the same as @code{fcvt}, except that it
 places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2588,6 +2713,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qecvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qecvt_r} function is the same as @code{qecvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in
@@ -2599,6 +2725,7 @@ This function is a GNU extension.
 @comment stdlib.h
 @comment GNU
 @deftypefun int qfcvt_r (long double @var{value}, int @var{ndigit}, int *@var{decpt}, int *@var{neg}, char *@var{buf}, size_t @var{len})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
 The @code{qfcvt_r} function is the same as @code{qfcvt}, except
 that it places its result into the user-specified buffer pointed to by
 @var{buf}, with length @var{len}.  The return value is @code{-1} in

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c7b61a96cbd8cb57ef7aedbddf47a3368451583d

commit c7b61a96cbd8cb57ef7aedbddf47a3368451583d
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:37 2013 -0300

    Rename unused scalb to scalbn to match prototype.
    
    for  ChangeLog
    
    	* sysdeps/ieee754/support.c (scalbn): Rename from
    	wrongly-typed scalb.  Adjust all callers.  Apparently unused.

diff --git a/sysdeps/ieee754/support.c b/sysdeps/ieee754/support.c
index 00476c0..0bbd892 100644
--- a/sysdeps/ieee754/support.c
+++ b/sysdeps/ieee754/support.c
@@ -82,7 +82,7 @@ static char sccsid[] = "@(#)support.c	8.1 (Berkeley) 6/4/93";
     static const double novf=1.7E308, nunf=3.0E-308,zero=0.0;
 #endif	/* defined(vax)||defined(tahoe) */
 
-double scalb(x,N)
+double scalbn(x,N)
 double x; int N;
 {
         int k;
@@ -106,7 +106,7 @@ double x; int N;
         if( (k= *px & mexp ) != mexp ) {
             if( N<-2100) return(nunf*nunf); else if(N>2100) return(novf+novf);
             if( k == 0 ) {
-                 x *= scalb(1.0,(int)prep1);  N -= prep1; return(scalb(x,N));}
+                 x *= scalbn(1.0,(int)prep1);  N -= prep1; return(scalbn(x,N));}
 #endif	/* defined(vax)||defined(tahoe) */
 
             if((k = (k>>gap)+ N) > 0 )
@@ -115,7 +115,7 @@ double x; int N;
             else
                 if( k > -prep1 )
                                         /* gradual underflow */
-                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalb(1.0,k-1);}
+                    {*px=(*px&~mexp)|(short)(1<<gap); x *= scalbn(1.0,k-1);}
                 else
                 return(nunf*nunf);
             }
@@ -228,7 +228,7 @@ double x,p;
 
         else  if ( ((*pp & mexp)>>gap) <= 1 )
                 /* subnormal p, or almost subnormal p */
-            { double b; b=scalb(1.0,(int)prep1);
+            { double b; b=scalbn(1.0,(int)prep1);
               p *= b; x = drem(x,p); x *= b; return(drem(x,p)/b);}
         else  if ( p >= novf/2)
             { p /= 2 ; x /= 2; return(drem(x,p)*2);}
@@ -294,8 +294,8 @@ double x;
 
     /* scale x to [1,4) */
         n=logb(x);
-        x=scalb(x,-n);
-        if((m=logb(x))!=0) x=scalb(x,-m);       /* subnormal number */
+        x=scalbn(x,-n);
+        if((m=logb(x))!=0) x=scalbn(x,-m);       /* subnormal number */
         m += n;
         n = m/2;
         if((n+n)!=m) {x *= 2; m -=1; n=m/2;}
@@ -326,7 +326,7 @@ double x;
                 b=1.0+r/4;   if(b>1.0) t=1;
                 if(t>=0) q+=r; }
 
-end:        return(scalb(q,n));
+end:        return(scalbn(q,n));
 }
 
 #if 0

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c2080123a1257f86601d8639f289ea4e3e6e27d7

commit c2080123a1257f86601d8639f289ea4e3e6e27d7
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:36 2013 -0300

    Note that powerpc fpu emulation status is not thread- or signal-safe.
    
    for  ports/ChangeLog.powerpc
    
    	PR 15483
    	* sysdeps/powerpc/nofpu/sim-full.c: Add FIXME note about
    	the need for thread-specific variables preserved across signal
    	handlers.
    	* sysdeps/powerpc/nofpu/soft-supp.h: Likewise.
    	* sysdeps/powerpc/soft-fp/sfp-machine.h: Likewise.

diff --git a/ports/sysdeps/powerpc/nofpu/sim-full.c b/ports/sysdeps/powerpc/nofpu/sim-full.c
index fc061d0..e167033 100644
--- a/ports/sysdeps/powerpc/nofpu/sim-full.c
+++ b/ports/sysdeps/powerpc/nofpu/sim-full.c
@@ -21,6 +21,11 @@
 #include "soft-fp.h"
 #include "soft-supp.h"
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 /* Global to store sticky exceptions.  */
 int __sim_exceptions __attribute__ ((nocommon));
 libc_hidden_data_def (__sim_exceptions);
diff --git a/ports/sysdeps/powerpc/nofpu/soft-supp.h b/ports/sysdeps/powerpc/nofpu/soft-supp.h
index b9638bb..64a3d2a 100644
--- a/ports/sysdeps/powerpc/nofpu/soft-supp.h
+++ b/ports/sysdeps/powerpc/nofpu/soft-supp.h
@@ -26,6 +26,11 @@ typedef union
 } fenv_union_t;
 
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;
diff --git a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
index c2a190e..508d869 100644
--- a/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
+++ b/ports/sysdeps/powerpc/soft-fp/sfp-machine.h
@@ -54,6 +54,11 @@
 #define FP_ROUNDMODE          __sim_round_mode
 #define FP_TRAPPING_EXCEPTIONS (~__sim_disabled_exceptions & 0x3e000000)
 
+/* FIXME: these variables should be thread specific (see bugzilla bug
+   15483) and ideally preserved across signal handlers, like hardware
+   FP status words, but the latter is quite difficult to accomplish in
+   userland.  */
+
 extern int __sim_exceptions;
 libc_hidden_proto (__sim_exceptions);
 extern int __sim_disabled_exceptions;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=706d7b14f054f498250c63c1e221a935b0e5ced2

commit 706d7b14f054f498250c63c1e221a935b0e5ced2
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Wed Jun 26 10:46:35 2013 -0300

    Thread safety documentation.
    
    for  ChangeLog
    
    	* manual/macros.texi: Introduce macros to document thread
    	safety properties.
    	* manual/intro.texi: Introduce the properties themselves.

diff --git a/manual/intro.texi b/manual/intro.texi
index deaf089..2630a77 100644
--- a/manual/intro.texi
+++ b/manual/intro.texi
@@ -172,6 +172,314 @@ pattern matching facilities (@pxref{Pattern Matching}).
 @comment <wordexp.h> (not yet implemented)
 @comment confstr
 
+The safety properties of @glibcadj{} functions, documented as MT-, AS-
+and AC- -Safe and -Unsafe are assessed according to the criteria set
+forth in the POSIX standard for Multi-Thread, Async-Signal and
+Async-Cancel safety.
+
+Intuitive definition of these properties, that attempt to capture
+the meaning of the standard definitions, follow:
+
+@itemize @bullet
+
+@item 
+@cindex MT-Safe
+MT-Safe functions are safe to call in the presence of other threads.  MT
+stands for Multi Thread.
+
+@item 
+@cindex AS-Safe
+AS-Safe functions are safe to call from asynchronous signal handlers.
+AS stands for Asynchronous Signal.
+
+@item
+@cindex AC-Safe
+AC-Safe functions are safe to call when asynchronous cancellation is
+enabled.  AC stands for Asynchronous Cancellation.
+
+@item 
+@cindex MT-Unsafe
+@cindex AS-Unsafe
+@cindex AC-Unsafe
+MT-Unsafe, AS-Unsafe, AC-Unsafe functions are not safe to call within
+the contexts described above: they may cause deviations from the
+specification in the behavior of the calls themselves, or of any other
+concurrent, ongoing or subsequent calls.
+
+Functions not explicitly documented as Safe should be regarded as
+Unsafe.
+
+@end itemize
+
+By ``safe to call'', we mean that, as long as the program does not
+invoke undefined or unspecified behavior, the called functions will
+behave as documented, and they won't cause any other functions to
+deviate from their documented behavior.
+
+Although we strive to abide by the standards, in some cases our
+implementation is safe even when the standard does not demand safety,
+and in other cases our implementation does not meet the standard safety
+requirements.  At this point, we document the result of an assessment of
+the properties of our implementation, so the safety documentation in
+this manual is not to be regarded as a promise of future behavior: in
+future releases, functions that are documented as safe may become
+unsafe, and safety constraints may be removed or introduced.  We
+envision turning the results of the assessment into a set of promises as
+stable as our interfaces, but we're not there yet.
+
+When a function is safe to call only under certain constraints, we will
+add keywords to the safety notes whose meanings are defined as follows:
+
+@itemize @bullet
+
+@c glocale-revisit
+@item @code{glocale}
+@cindex glocale
+
+In threads that have not overridden the thread-local locale object by
+calling @code{uselocale}, calling functions annotated with
+@code{glocale} concurrently with @code{setlocale} may cause the
+functions to behave in ways that don't correspond to either the previous
+or the subsequent global locale.
+
+Although the @code{setlocale} function modifies the global locale object
+while holding a lock, @code{glocale}-annotated functions may access this
+global object multiple times, without any measures to ensure it doesn't
+change while it's in use.
+
+Each of these unprotected uses will use either the previous or the
+subsequent locale information, so they won't cause crashes or access to
+uninitialized, unmapped or recycled memory.  However, since some cases
+use cached locale information while others access the effective locale
+object anew, concurrent changes to the global locale object may cause
+these functions to behave in ways that they could not behave should the
+execution of @code{setlocale} and of the so-annotated functions be
+atomic, or even should @code{setlocale} alone be atomic.
+
+The @code{glocale} constraint indicates functions are only safe to call
+if the effective thread-local locale is not the global locale object
+(because it was overridden with @code{uselocale}).  Failing that,
+@code{setlocale} should not be called while these functions are active.
+
+
+@item @code{uunguard}
+@cindex uunguard
+
+Functions marked with @code{uunguard} modify non-atomically arguments or
+global objects that other functions access without synchronization.  To
+ensure MT- and AS-Safe behavior, callers should refrain from calling
+so-marked functions concurrently with users of the corresponding
+objects.
+
+Unguarded users of the global locale object modified by @code{setlocale}
+are marked with @code{glocale}.
+
+Unguarded users of the @code{printf} extension objects modified by
+@code{register_printf_function} are the entire family of printf
+functions.
+
+Unguarded users of streams configured with @code{__fsetlocking} for
+locking by the caller are the entire family of stdio functions.
+
+
+@item @code{xguargs}
+@cindex xguargs
+
+Functions marked with @code{xguargs} may use or modify objects passed as
+arguments without any guards to ensure consistency.  To ensure MT- and
+AS-Safe behavior, callers must ensure that the objects passed in are not
+modified concurrently by other threads or signal handlers.
+
+
+@end itemize
+
+
+Additional safety issues that cannot be worked around by constraining
+the program are also documented with keywords, whose meaning is defined
+as follows:
+
+@itemize @bullet
+
+@item @code{staticbuf}
+@cindex staticbuf
+
+Functions annotated with @code{staticbuf} use internal static buffers or
+variables in ways that may cause concurrent calls to interfere
+destructively.
+
+These functions are all MT-Unsafe and AC-Unsafe.  However, many of them
+offer reentrant variants for MT-Safe and, in some cases, AC-Safe use.
+
+
+@item @code{fdleak}
+@cindex fdleak
+
+Functions annotated with @code{fdleak} may leak file descriptors if
+asynchronous thread cancellation interrupts their execution.
+
+Functions that allocate or deallocate file descriptors will generally be
+marked as such, because even if they attempted to protect the file
+descriptor allocation and deallocation with cleanup regions, allocating
+a new descriptor and storing its number where the cleanup region could
+release it cannot be performed as a single atomic operation, just like
+releasing it and taking it out of the data structure normally
+responsible for releasing it cannot be performed atomically, always
+leaving a window in which the descriptor cannot be released because it
+wasn't stored in the cleanup handler argument yet, or in which it was
+already taken out of it before releasing it in the normal flow (we
+cannot keep it there because, in case of cancellation, we wouldn't be
+able to tell whether it was already released, and the same number could
+have been already assigned to another descriptor by another thread, so
+we couldn't just release it again).
+
+Such leaks could be internally avoided, with some performance penalty,
+by temporarily disabling asynchronous thread cancellation.  However,
+since callers of allocation or deallocation functions would have to do
+this themselves, to avoid the same sort of leak in their own layer, it
+makes more sense for the library to assume they are taking care of it
+than to impose a performance penalty that is redundant when the problem
+is solved in upper layers, and insufficient when it isn't.
+
+This remark by itself does not cause a function to be regarded as
+AC-Unsafe.  However, cummulative effects of such leaks may pose a
+problem for some programs.  If this is the case, suspending asynchronous
+cancellation for the duration of calls to such functions is recommended.
+
+
+@item @code{memleak}
+@cindex memleak
+
+Functions annotated with @code{memleak} may leak memory if asynchronous
+thread cancellation interrupts their execution.
+
+The problem is similar to that of file descriptors: there is no atomic
+interface to allocate memory and store its address in the argument to a
+cleanup handler, or to release it and remove its address from that
+argument, without at least temporarily disabling asynchronous
+cancellation, which these functions do not do.
+
+This remark does not by itself cause a function to be regarded as
+generally AC-Unsafe.  However, cummulative effects of such leaks may be
+severe enough for some programs that disabling asynchronous cancellation
+for the duration of calls to such functions may be required.
+
+
+@item @code{lockleak}
+@cindex lockleak
+
+Functions annotated with @code{lockleak} may leak locks if asynchronous
+thread cancellation interrupts their execution.
+
+While the problem is similar to that of file descriptors, in that there
+is not any atomic interface to lock and take note of the need for
+unlocking in a cleanup, or to unlock and take note that there is no
+longer such a need, the problem posed by lock leaks is far more serious:
+when a file descriptor or a piece of memory is leaked, it becomes
+inaccessible and subsequent attempts to allocate a file descriptor or
+some memory will just use another resource.  However, once a lock is
+left taken, attempts to take that lock will block indefinitely.
+(Recursive locks will only block other threads, and read locks will only
+block writer threads, but the point still holds in general).
+
+For the reasons above, functions that leak locks are all AC-Unsafe.
+
+
+@item @code{selfdeadlock}
+@cindex selfdeadlock
+
+Functions marked with @code{selfdeadlock} take a non-recursive lock to
+ensure MT-Safety while modifying data structures guarded by the lock.
+
+If such a function is interrupted by a signal while holding the lock,
+and the signal handler calls any function that takes the same
+non-recursive lock, the result is a deadlock.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid a deadlock if any signal handler might need
+to call them.
+
+
+@item @code{asynconsist}
+@cindex asynconsist
+
+Functions marked with @code{asynconsist} take a recursive lock to ensure
+MT-Safety while accessing or modifying data structures guarded by the
+lock.
+
+If such a function is interrupted by a signal while holding the lock,
+and the signal handler calls any function that takes the same
+non-recursive lock, the latter function may observe a partially updated,
+inconsistent data structure, and misbehave.
+
+Blocking asynchronous signal delivery while calling such functions is
+the only safe way to avoid the misbehavior that may ensue if any signal
+handler might need to call them.
+
+
+@item @code{asmalloc}
+@cindex asmalloc
+
+This is a sub-case of @code{asynconsist}.  Functions marked with
+@code{asmalloc} perform memory allocation or deallocation with the
+@code{malloc}/@code{free} family of functions.
+
+If heap management functions are interrupted by asynchronous signals,
+and the signal handlers attempt to perform memory allocation or
+deallocation of their own, they may encounter heap data structures in a
+partially updated state, and the interrupted calls may malfunction
+because of the changes made within the signal handler.
+
+
+@item @code{incansist}
+@cindex incansist
+
+Functions marked with @code{incansist} modify data structures in a
+non-atomic way.
+
+If such a function is asynchronously canceled, it may leave the data
+structure in a partially updated, inconsistent state.  Subsequent uses
+of the data structure may misbehave.
+
+Disabling asynchronous cancelation while calling such functions is the
+only safe way to avoid the misbehavior that may ensure if the thread is
+canceled while the function is running.
+
+
+@item @code{simfpu}
+@cindex simfpu
+
+Functions annotated with @code{simfpu} may misbehave on powerpc ports in
+which the floating-point unit is disabled and floating point simulation
+is used instead.  On such platforms, @theglibc{} uses global variables
+to hold floating-point exceptions, rounding modes and disabled
+exceptions, rather than thread-local state.  This is a @glibcadj{} bug.
+
+Furthermore, even if this bug is fixed, the emulation of floating-point
+control and status registers will not go as far as saving and restoring
+these emulated registers across asynchronous signal handlers.  Indeed,
+although most platforms preserve floating-point context as part of the
+thread context, preserving control and status words is not mandatory:
+standards recommend that programs that modify them within signal
+handlers restore them to the original state before returning.
+
+This note does not cause functions to be marked as MT-Unsafe, even
+though, on the affected platform, they are MT-Unsafe indeed.
+
+
+@item @code{unposix}
+@cindex unposix
+
+This remark indicates our safety documentation is known to differ from
+the requirements set by the POSIX standard.  For example, POSIX does not
+require a function to be Safe, but our implementation is Safe, or
+vice-versa.
+
+For the time being, the absence of this remark does not imply the safety
+propertes we documentated are identical to those mandated by POSIX for
+the corresponding functions.
+
+@end itemize
+
 
 @node Berkeley Unix, SVID, POSIX, Standards and Portability
 @subsection Berkeley Unix
diff --git a/manual/macros.texi b/manual/macros.texi
index daaf1c0..6955f32 100644
--- a/manual/macros.texi
+++ b/manual/macros.texi
@@ -47,4 +47,46 @@ GNU/Hurd systems
 GNU/Linux systems
 @end macro
 
+@c Document a function as thread safe.
+@macro mtsafe {comments}
+| MT-Safe \comments\
+|
+@end macro
+@c Document a function as thread unsafe.
+@macro mtunsafe {comments}
+| MT-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use in asynchronous signal handlers.
+@macro assafe {comments}
+| AS-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use in asynchronous signal
+@c handlers.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro asunsafe {comments}
+| AS-Unsafe \comments\
+|
+@end macro
+@c Document a function as safe for use when asynchronous cancellation is
+@c enabled.
+@macro acsafe {comments}
+| AC-Safe \comments\
+|
+@end macro
+@c Document a function as unsafe for use when asynchronous cancellation
+@c is enabled.  This distinguishes unmarked functions, for which this
+@c property has not been assessed, from those that have been analyzed.
+@macro acunsafe {comments}
+| AC-Unsafe \comments\
+|
+@end macro
+@c Format the thread and async safety properties of a function.
+@macro safety {notes}
+\notes\
+
+
+@end macro
+
 @end ifclear

-----------------------------------------------------------------------


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]